This is the accessible text file for GAO report number GAO-06-674 
entitled 'Personal Information: Key Federal Privacy Laws Do Not Require 
Information Resellers to Safeguard All Sensitive Data' which was 
released on July 26, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Committee on Banking, Housing and Urban Affairs, U.S. 
Senate: 

United States Government Accountability Office: 

GAO: 

June 2006: 

Personal Information: 

Key Federal Privacy Laws Do Not Require Information Resellers to 
Safeguard All Sensitive Data: 

Personal Information: 

GAO-06-674: 

GAO Highlights: 

Highlights of GAO-06-674, a report to the Committee on Banking, Housing 
and Urban Affairs, U.S. Senate 

Why GAO Did This Study: 

The growth of information resellers—companies that collect and resell 
publicly available and private information on individuals—has raised 
privacy and security concerns about this industry. These companies 
collectively maintain large amounts of detailed personal information on 
nearly all American consumers, and some have experienced security 
breaches in recent years. 

GAO was asked to examine (1) financial institutions’ use of resellers; 
(2) federal privacy and security laws applicable to resellers; (3) 
federal regulators’ oversight of resellers; and (4) regulators’ 
oversight of financial institution compliance with privacy and data 
security laws. To address these objectives, GAO analyzed documents and 
interviewed representatives from 10 information resellers, 14 financial 
institutions, 11 regulators, industry and consumer groups, and others. 

What GAO Found: 

Financial institutions such as banks, credit card companies, securities 
firms, and insurance companies use personal data obtained from 
information resellers to help make eligibility determinations, comply 
with legal requirements, prevent fraud, and market their products. For 
example, lenders rely on credit reports sold by the three nationwide 
credit bureaus to help decide whether to offer credit and on what 
terms. Some companies also use reseller products to comply with PATRIOT 
Act rules, to investigate fraud, and to identify customers with 
specific characteristics for marketing purposes. 

GAO found that the applicability of the primary federal privacy and 
data security laws—the Fair Credit Reporting Act (FCRA) and Gramm-Leach-
Bliley Act (GLBA)—to information resellers is limited. FCRA applies to 
information collected or used to help determine eligibility for such 
things as credit or insurance, while GLBA only applies to information 
obtained by or from a GLBA-defined financial institution. Although 
these laws include data security provisions, consumers could benefit 
from the expansion of such requirements to all sensitive personal 
information held by resellers. 

The Federal Trade Commission (FTC) is the primary federal agency 
responsible for enforcing information resellers’ compliance with FCRA’s 
and GLBA’s privacy and security provisions. Since 1972, the agency has 
initiated formal enforcement actions against more than 20 resellers, 
including the three nationwide credit bureaus, for violating FCRA. 
However, FTC does not have civil penalty authority under the privacy 
and safeguarding provisions of GLBA, which may reduce its ability to 
enforce that law most effectively against certain violations, such as 
breaches of mass consumer data. 

In overseeing compliance with privacy and data security laws, federal 
banking and securities regulators have issued guidance, conducted 
examinations, and taken formal and informal enforcement actions. A 
recent national survey sponsored by the National Association of 
Insurance Commissioners (NAIC) identified some noncompliance with GLBA 
by insurance companies, but state regulators have not laid out clear 
plans with NAIC for following up to ensure these issues are adequately 
addressed. 

Figure: Typical Information Flow through Resellers to Financial 
Institutions: 

[See PDF for Image] 

Source: GAO(analysis); Art Explosion (image). 

[End of Figure] 

What GAO Recommends: 

Congress should consider (1) requiring information resellers to 
safeguard all sensitive personal information they hold, and (2) giving 
FTC civil penalty authority for enforcement of GLBA’s privacy and 
safeguarding provisions. GAO also recommends that state insurance 
regulators ensure compliance with GLBA. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-674]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Yvonne D. Jones at (202) 
512-8678 or jonesy@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Financial Institutions Use Information Resellers for Eligibility 
Determinations, Fraud Prevention, PATRIOT Act Compliance, and 
Marketing: 

Federal Privacy and Information Security Laws Apply to Many Information 
Reseller Products, Depending on Their Use and Source: 

FTC Has Primary Responsibility for Enforcing Information Resellers' 
Compliance with Privacy and Information Security Laws: 

Agencies Differ in Their Oversight of the Privacy and Security of 
Personal Information at Financial Institutions: 

Conclusions: 

Matters for Congressional Consideration: 

Recommendation for Executive Action: 

Agency Comments: 

Appendix I: Scope and Methodology: 

Appendix II: Sample Information Reseller Reports: 

Sample Insurance Claims History Report: 
Sample Deposit Account History Report: 
Sample Identity Verification and OFAC Screening Report: 
Sample Fraud Investigation Report: 

Appendix III: Comments from the Federal Trade Commission: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Figures: 

Figure 1: Typical Information Flow through Resellers to Financial 
Institutions: 

Figure 2: GLBA Privacy Provisions: 

Figure 3: Enforcement Responsibilities for Selected Financial 
Institutions under FCRA and GLBA: 

Figure 4: Sample Insurance Claims History Report: 

Figure 5: Sample Deposit Account History Report: 

Figure 6: Sample Identity Verification and OFAC Screening Report: 

Figure 7: Sample Fraud Investigation Report: 

Abbreviations: 

CRA: consumer reporting agency: 
DISB: District of Columbia's Department of Insurance, Securities and 
Banking: 
FACT Act: Fair and Accurate Credit Transactions Act: 
FCRA: Fair Credit Reporting Act: 
FDIC: Federal Deposit Insurance Corporation: 
FFIEC: Federal Financial Institutions Examination Council: 
FRB: Board of Governors of the Federal Reserve System: 
FTC: Federal Trade Commission: 
FTC Act: Federal Trade Commission Act: 
GLBA: Gramm-Leach-Bliley Act: 
NAIC: National Association of Insurance Commissioners: 
NCUA: National Credit Union Administration: 
NYSE Regulation: New York Stock Exchange Regulation: 
OCC: Office of the Comptroller of the Currency: 
OFAC: Office of Foreign Assets Control: 
OTS: Office of Thrift Supervision: 
SEC: Securities and Exchange Commission: 
USA PATRIOT ACT: Uniting and Strengthening America by Providing 
Appropriate Tools Required to Intercept and Obstruct Terrorism Act: 

United States Government Accountability Office: 
Washington, DC 20548: 

June 26, 2006: 

The Honorable Richard C. Shelby: 
Chairman: 
The Honorable Paul S. Sarbanes: 
Ranking Minority Member: 
Committee on Banking, Housing and Urban Affairs: 
United States Senate: 

The growth in recent years of information resellers--companies that 
collect, aggregate, and resell publicly available and private 
information on individuals--has raised privacy and security concerns 
related to this industry.[Footnote 1] Information resellers maintain 
and sell vast amounts of detailed personal information on nearly all 
American consumers--including such things as Social Security numbers, 
home and automobile values, occupations and hobbies. In addition, 
security breaches at some of these companies have raised concerns in 
light of the increasing problem of identity theft. Some policymakers 
and consumer advocates believe that not enough is known about these 
resellers and the information about consumers that they maintain and 
share. 

Information resellers include consumer reporting agencies (CRA), which 
assemble and share credit histories and other personal information used 
to help make important decisions about individuals, such as their 
eligibility for financial services. Other companies, sometimes called 
"data brokers," collect personal information from a variety of sources 
for such things as marketing and fraud prevention. Advances in 
technology and the computerization of public records in recent years 
have fostered significant growth in the size of the reseller industry 
and the amount of personal consumer data that these companies assemble 
and distribute. 

The primary federal laws governing the sharing and use of personal 
information by private sector companies are the Fair Credit Reporting 
Act (FCRA) and subtitle A of title V of the Gramm-Leach-Bliley Act 
(GLBA).[Footnote 2] Several federal and state agencies and self- 
regulatory organizations enforce these laws, including the Federal 
Trade Commission (FTC); the banking regulators--Board of Governors of 
the Federal Reserve System (FRB), Office of the Comptroller of the 
Currency (OCC), Office of Thrift Supervision (OTS), Federal Deposit 
Insurance Corporation (FDIC), and National Credit Union Administration 
(NCUA); the securities regulators--Securities and Exchange Commission 
(SEC), NASD (formerly known as the National Association of Securities 
Dealers), and New York Stock Exchange Regulation (NYSE Regulation); and 
state insurance regulators. 

Concerned about financial institutions' use of information resellers, 
you asked us to examine (1) how financial institutions use data 
products supplied by information resellers, the types of information 
contained in these products, and the sources of the information; (2) 
how federal laws governing the privacy and security of personal data 
apply to information resellers, and what rights and opportunities exist 
for individuals to view and correct data held by resellers; (3) how 
federal financial institution regulators and the FTC oversee 
information resellers' compliance with federal privacy and information 
security laws; and (4) how federal financial institution regulators, 
state insurance regulators, and the FTC oversee financial institutions' 
compliance with federal privacy and information security laws governing 
consumer information, including information supplied by information 
resellers. 

To address these objectives, we gathered and analyzed documents, and 
interviewed representatives from, 10 major information resellers; 14 
financial institutions in the banking, securities, credit card, 
property/casualty insurance, and consumer lending industry sectors; and 
trade associations representing these firms. We also met with experts 
in the area of privacy law and with consumer advocacy organizations 
active in the field. Our audit work allows us to represent how 
financial institutions that offer a sizable and diverse portion of 
financial services in the United States use information resellers, and 
to describe the types of information products offered by the 
information resellers most commonly identified by these financial 
institutions. Our findings, however, are not representative of all 
financial institutions and information resellers. We also analyzed 
relevant laws, guidance, and regulations. Finally, to describe federal 
and state enforcement and supervisory activities, we interviewed and 
analyzed documents from FTC; the five federal banking and three 
securities regulators; the National Association of Insurance 
Commissioners (NAIC), which represents state insurance regulators; and 
the District of Columbia's Department of Insurance, Securities and 
Banking (DISB). 

We conducted our review from June 2005 through May 2006 in accordance 
with generally accepted government auditing standards. A more extensive 
discussion of our scope and methodology appears in appendix I. 

Results in Brief: 

Financial institutions use data from information resellers to help 
determine individuals' eligibility for credit and insurance, comply 
with legal requirements, prevent fraud, and market products. Banks and 
other lenders use reseller data to help make eligibility and interest 
rate decisions for new applicants and existing customers, while 
insurance companies use these data to help make underwriting decisions 
regarding individual insurance applications. To meet PATRIOT Act 
requirements designed to prevent money laundering and transactions with 
known criminals, some financial institutions we spoke with use 
resellers to confirm the identity of applicants. In addition, reseller 
data are used to identify and investigate fraud, locate holders of 
delinquent accounts, and conduct due diligence on individuals 
associated with new business ventures. Many companies also use certain 
information reseller products for marketing purposes--such as to target 
potential customers who have certain characteristics or to gather 
additional information about existing customers to offer additional 
products. The specific information maintained by resellers varies 
depending on the nature of the reseller and the types and purposes of 
its products. Their products often include credit header data-- 
identifying information at the top of a credit report that includes 
such things as name, current and prior addresses, telephone number, and 
Social Security number. Products used by lenders for eligibility 
determinations typically also contain detailed credit histories and 
scores, while products used by insurers may also contain past insurance 
claims filed by applicants. Many reseller products, particularly those 
used for fraud detection, include court and property records and 
bankruptcy filings, motor vehicle records, names of family members and 
associates, and professional licenses. Products used for marketing 
often include demographic information as well as information on 
individual consumers' interests and hobbies. Resellers' sources vary 
depending on the product, but may include public records from 
government agencies, publicly available information, such as telephone 
or business directories, and nonpublic or proprietary information from 
credit bureaus or provided to businesses directly by consumers. 

The primary federal privacy and data security laws that apply to 
information resellers are the Fair Credit Reporting Act (FCRA) and the 
Gramm-Leach-Bliley Act (GLBA), but the applicability of these laws with 
regard to information resellers is limited. FCRA requires companies to 
safeguard and restrict their use and distribution of consumer 
information collected or used to determine eligibility for such things 
as credit, insurance, or employment, and provides rights to consumers 
to view and rectify errors in databases containing such information. 
The applicability of FCRA depends largely on the purpose for which the 
information is collected, and its intended and actual use, rather than 
the origins or nature of the information itself. Resellers offer many 
products from databases they consider not subject to FCRA, such as 
those used for many marketing and anti-fraud products. Information 
resellers vary in the extent to which they voluntarily provide 
consumers additional opportunities to view, correct, and opt out of the 
sharing of information that is not subject to FCRA. GLBA's privacy 
provisions restrict the sharing of nonpublic personal information 
collected by or acquired from financial institutions, except in certain 
circumstances. However, these provisions only apply to information 
resellers covered by GLBA's definition of a "financial institution" or 
that maintain nonpublic personal information originating from such a 
financial institution. GLBA's safeguarding provisions require that 
steps be taken to ensure the security and confidentiality of customers' 
nonpublic personal information, but similarly this applies only to 
resellers that are GLBA financial institutions. Because of the limited 
applicability of FCRA and GLBA to information resellers, sensitive 
personal information these companies maintain is often not covered by 
explicit statutory safeguarding requirements. For example, some 
information resellers maintain data such as Social Security numbers in 
anti-fraud databases or household incomes in marketing databases that 
they do not consider subject to FCRA's or GLBA's safeguarding 
provisions. Requiring information resellers to take steps to prevent 
unauthorized access to all of the sensitive personal information they 
hold would help ensure that explicit data security requirements apply 
more comprehensively to a class of companies that maintains large 
amounts of such data. In addition, no federal statute requires 
companies to disclose breaches of sensitive personal information, 
although such a requirement could provide incentives to companies to 
improve data safeguarding and provide consumers at risk of identity 
theft or other related harm with useful information. 

FTC is the primary federal agency responsible for enforcing information 
resellers' compliance with the privacy and information security 
requirements of FCRA and GLBA. Because it is a law enforcement agency, 
as opposed to a regulatory or supervisory agency, FTC does not 
routinely monitor or examine resellers, but can initiate investigations 
based on complaints and other sources. Since 1972, the agency has 
initiated formal enforcement actions against more than 20 consumer 
reporting agencies, including the three nationwide credit bureaus, for 
violating FCRA and the Federal Trade Commission Act (FTC Act). For 
example, in January 2006, ChoicePoint agreed to pay $10 million in 
civil penalties and $5 million for consumer redress (damages to 
compensate consumers for losses) to settle FTC charges that the 
company's security and record-handling procedures allegedly violated 
FCRA and the FTC Act. Many of FTC's cases involved companies alleged to 
have provided consumer report information without adequately ensuring 
that their customers had a permissible purpose for obtaining it. FTC 
cannot impose civil penalties for violations of GLBA's privacy and 
safeguarding provisions, as it can under FCRA. FTC has used its 
existing enforcement authority under GLBA to seek injunctions against 
financial institutions that have violated that law, and it can also 
seek redress for consumers. However, FTC staff have said that civil 
penalties would be a more effective tool for violations involving 
breaches of mass consumer data. 

Federal and state regulators vary in the actions they take to oversee 
financial institutions' compliance with federal privacy and information 
security laws. In general, regulators told us that their oversight 
activities focus on the protection of all sensitive data; they do not 
typically distinguish whether the data were obtained from an 
information reseller or some other source. The five federal banking 
regulators have implemented and enforced GLBA and FCRA by issuing 
regulations and guidance, by using their examination procedures to 
check compliance with these laws, and by taking enforcement actions to 
address violations. SEC has issued regulations to implement GLBA for 
broker-dealers, investment companies, and SEC-registered investment 
advisers. SEC, NASD, and NYSE Regulation have also issued guidance and 
examined securities firms for compliance with GLBA's privacy and 
safeguarding provisions, and as necessary have taken enforcement 
actions. State insurance regulators are responsible for enforcing GLBA 
for their states' property-casualty insurers. NAIC told us that state 
insurance regulators do not typically focus in their examinations on 
privacy requirements, but that they did recently participate in a 
multistate survey of insurance company compliance with GLBA. The survey 
identified a number of areas of noncompliance with GLBA, but the extent 
to which state regulators will be addressing these problems is unclear. 
FTC enforces securities firms' and insurance companies' compliance with 
FCRA and enforces both FCRA and GLBA for all financial institutions not 
otherwise supervised by another regulator. FTC has issued regulations 
to implement GLBA and initiated enforcement actions against consumer 
finance companies for not ensuring the security and confidentiality of 
sensitive customer information. Some federal banking regulators have 
authority to examine third-party service providers with which the banks 
may do business, and regulators have examined a limited number of 
information resellers under this authority. 

This report suggests that Congress consider requiring information 
resellers, and potentially a broader class of entities, to safeguard 
all sensitive personal information they hold. We also suggest that 
Congress consider providing FTC with civil penalty authority for its 
enforcement of GLBA's privacy and safeguarding provisions. In addition, 
we recommend that state insurance regulators, individually and in 
concert with NAIC, take additional measures to ensure appropriate 
enforcement of insurance companies' compliance with GLBA's privacy and 
safeguarding requirements. We provided a draft of this report to FDIC, 
FRB, FTC, NAIC, NASD, NCUA, NYSE Regulation, OCC, OTS, and SEC, which 
provided technical comments that were incorporated as appropriate. In 
addition, FTC provided written comments, in which the agency noted that 
it agreed with our suggestions to Congress. 

Background: 

"Information reseller" is an umbrella term used to describe a wide 
variety of businesses that collect and aggregate personal information 
from multiple sources and make it available to their customers. The 
industry has grown considerably over the past two decades, in large 
part due to advances in computer technology and electronic storage. 
Courthouses and other government offices previously stored personal 
information in paper-based public records that were relatively 
difficult to obtain, usually requiring a personal visit to inspect the 
records. Nonpublic information, such as personal information contained 
in product registrations or insurance applications was also generally 
inaccessible. In recent years, however, the electronic storage of 
public and private records along with increased computer processing 
speeds and decreased data storage costs have fostered information 
reseller businesses that collect, organize, and sell vast amounts of 
personal information on virtually all American consumers. 

The information reseller industry is large and complex, and these 
businesses vary in many ways. What constitutes an information reseller 
is not always clearly defined and little data exist on the total number 
of firms that offer information products. FTC and other federal 
agencies do not keep comprehensive lists of companies that resell 
personal information, and experts say that characterizing the precise 
size and nature of the information reseller industry can be difficult 
because it is evolving and lacks a clear definition. Although no 
comprehensive data exist, industry representatives say there are at 
least hundreds of information resellers in total, including some 
companies that provide services over the Internet.[Footnote 3] 

We include in our definition of information resellers the three 
nationwide credit bureaus--Equifax, Experian, and TransUnion, which 
primarily collect and sell information about the creditworthiness of 
individuals--as well as other resellers such as ChoicePoint, Acxiom, 
and LexisNexis, which sell information for a variety of purposes, 
including marketing.[Footnote 4] Other companies that sell information 
products include eFunds, which provides depository institutions with 
information on deposit account histories; Thompson West and Regulatory 
DataCorp, which help companies mitigate fraud and other risks; and ISO, 
which provides insurers with insurance claims histories and fraud 
prevention products. Information resellers sell their products to a 
broad spectrum of customers, including private companies, individuals, 
law enforcement bureaus and other government agencies.[Footnote 5] 
Although major information resellers generally offer their products 
only to customers who have successfully completed a credentialing 
process, some resellers offer certain products, such as compilations of 
telephone directory information, to the public at large. All of these 
businesses differ in nature, and they do not all focus exclusively on 
aggregating and reselling personal information. For example, Acxiom 
primarily provides customized computer services, and its information 
products represent a relatively small portion of the overall activities 
of the company. 

Information resellers obtain their information from many different 
sources (see fig. 1). Generally, three types of information are 
collected: public records, publicly available information, and 
nonpublic information. 

* Public records are a primary source of information about consumers, 
available to anyone, and can be obtained from governmental entities. 
What constitutes public records is dependent upon state and federal 
laws, but generally these include birth and death records, property 
records, tax lien records, voter registrations, licensing records, and 
court records (including criminal records, bankruptcy filings, civil 
case files, and legal judgments). 

* Publicly available information is information not found in public 
records but nevertheless publicly available through other sources. 
These sources include telephone directories, business directories, 
print publications such as classified ads or magazines, Internet sites, 
and other sources accessible by the general public. 

* Nonpublic information is derived from proprietary or nonpublic 
sources, such as credit header data, product warranty registrations, 
lists of magazine or catalog subscribers, and other application 
information provided to private businesses directly by 
consumers.[Footnote 6] 

Information resellers hold or have access to databases containing a 
large variety of information about individuals. Although each reseller 
varies in the specific personal information it maintains, it can 
include names, aliases, Social Security numbers, addresses, telephone 
numbers, motor vehicle records, family members, neighbors, insurance 
claims, deposit account histories, criminal records, employment 
histories, credit histories, bankruptcy records, professional licenses, 
household incomes, home values, automobile values, occupations, 
ethnicities, and hobbies. 

Figure 1: Typical Information Flow through Resellers to Financial 
Institutions: 

[See PDF for image] 

Source: GAO(analysis), Art Explosion(image). 

[End of figure] 

The various products offered by different types of information 
resellers are used for a wide range of purposes, including credit and 
background checks, fraud prevention, and marketing. Resellers often 
sell their data to each other--for example, the credit bureaus sell 
credit header data to other resellers for use in identity verification 
and fraud prevention products. Resellers might also purchase publicly 
available information from one another, rather than gathering the 
information themselves. The nature of the databases maintained and 
products offered by information resellers vary. Credit bureaus maintain 
an individual file on most Americans containing financial information 
related to that person's creditworthiness. Most other resellers do not 
typically maintain complete files on individuals, but rather collect 
and maintain information in a variety of databases, and then provide 
their customers with a single consolidated source for a broad array of 
personal information. 

Financial Institutions Use Information Resellers for Eligibility 
Determinations, Fraud Prevention, PATRIOT Act Compliance, and 
Marketing: 

Financial institutions in the banking, credit card, securities, and 
insurance industries use personal data purchased from information 
resellers primarily to help make eligibility determinations, comply 
with legal requirements, prevent fraud, and market their 
products.[Footnote 7] Credit reports from the three nationwide credit 
bureaus help lenders determine eligibility for and the cost of credit, 
and reports on insurance claims histories from specialty CRAs help 
insurance companies make premium decisions for new applicants and 
existing customers. To meet certain legal requirements and detect and 
prevent fraud, financial institutions we studied also use reseller 
products to locate individuals or confirm their identity. In addition, 
certain reseller products containing demographic data and information 
on individuals' lifestyle interests and hobbies are used to help market 
financial products to existing or potential customers with certain 
characteristics. 

Consumer Reports Sold by Credit Bureaus and Other CRAs Are Used to Make 
Credit and Insurance Eligibility Decisions: 

Banks, credit card companies, and other lenders rely on credit reports 
sold by the three nationwide credit bureaus--Equifax, Experian, and 
TransUnion--when deciding whether to offer credit to an individual, at 
what rate, and on what terms. Banks use credit reports to help assess 
the credit risk of new customers before opening a new deposit account 
or providing a mortgage or other loan. Credit card companies use credit 
reports to determine whether to grant a credit card to an applicant, 
determine the terms of that card, and to adjust the account terms of 
current cardholders whose creditworthiness may have changed. In 
addition to lenders, insurance companies often use scores generated 
from credit report information to help determine premiums for the 
policies they underwrite. 

Credit bureaus receive the information in credit reports from the 
financial institutions themselves, among other sources. Credit reports 
consist of a "credit header"--identifying information such as name, 
current and previous addresses, Social Security number, and telephone 
number--and a credit history, or other payment history, designed to 
provide information on the individual's creditworthiness. The credit 
history might contain information on an individual's current and past 
credit accounts, including amounts borrowed and owed, credit limits, 
relevant dates, and payment histories, including any record of late 
payments. Credit reports also may include public record information on 
tax liens, bankruptcies, and other court judgments related to the 
payment of debts. Credit bureaus also sell credit scores, which are 
numerical representations of predicted creditworthiness based on 
information in credit reports, and are often used instead of full 
credit reports. For example, all three credit bureaus sell FICO® credit 
scores, which use factors such as payment history, amount owed, and 
length of credit history to help financial institutions predict the 
likelihood that a person will repay a loan.[Footnote 8] 

Some financial institutions also use specialty CRAs, which maintain 
specific types of files on consumers, to help make eligibility 
decisions. Insurance companies commonly use products from ChoicePoint 
and ISO, which compile data from insurance companies on the claims that 
individuals have made against their homeowner's or automobile insurance 
policies.[Footnote 9] Most insurance companies provide these CRAs with 
claim and loss information about their customers, including names, 
driver's license information, type of loss, date of loss, and amount 
the insurance company paid to settle the claim. The CRAs aggregate this 
information from multiple insurance companies to create either full 
reports or risk scores designed to help assess the likelihood that an 
individual will file a claim. Insurance companies purchase reports, or 
in some cases scores, associated with individuals applying for 
insurance and the property being insured to help decide whether to 
provide coverage and at what rate. Insurance companies also use this 
information to help determine whether to extend coverage and set 
premiums for existing policy holders. (See app. II for a sample 
insurance claims history report.) Insurance industry representatives 
told us aggregated claims data provided by specialty CRAs are extremely 
useful in making coverage and rate determinations. They noted, for 
example, that past losses are the best indicator of future driving risk 
and thus are useful to firms that underwrite auto insurance. 

Banks and credit unions frequently assess applicants of new checking 
and other deposit accounts using products offered by resellers such as 
ChexSystems, a specialty CRA that is a subsidiary of eFunds. 
ChexSystems compiles information from banks and credit unions on 
accounts that have been closed due to account misconduct such as 
overdrafts, insufficient funds activity, returned checks, bank fraud, 
and check forgery. The company also aggregates available driver's 
license information from state departments of motor vehicles, and 
receives information from check-printing companies on check order 
histories, which can help identify fraud. Banks we spoke with said that 
the name and identifying information of a customer seeking to open a 
new deposit account is typically run through the ChexSystems database. 
The reports provided back to the financial institution by ChexSystems 
typically include identifying information, as well as information 
useful in assessing an applicant's risk, such as the applicant's 
history of check orders and the source and details of any account 
misconduct. (See app. II for a sample deposit account history report.) 

Financial Institutions Use Information Resellers to Comply with the 
PATRIOT Act, Prevent Fraud, Mitigate Risk, and Locate Individuals: 

Financial institutions use data purchased from information resellers to 
comply with legal requirements; detect, prevent, and investigate fraud; 
identify risks associated with prospective clients; and locate debtors 
or shareholders. 

Complying with PATRIOT Act Requirements: 

Financial institutions we spoke with frequently use products provided 
by information resellers to comply with PATRIOT Act 
requirements.[Footnote 10] Congress intended these provisions to help 
prevent terrorists and other criminals from using the U.S. financial 
system to fund terrorism and launder money. The act requires financial 
institutions to develop procedures to assure the identity of new 
customers.[Footnote 11] Many resellers offer products that verify and 
validate a new customer's identity by comparing information the 
customer provided to the financial institution with information 
aggregated from public and private sources. Some financial 
institutions, particularly those that offer services by telephone, 
mail, or the Internet, often confirm customers' identities using these 
reseller products. Other companies may verify their customers' identity 
from a driver's license, passport, or other paper document, but use 
information resellers for additional verification. 

Financial institutions must also screen their customers to ensure they 
are not on the Department of the Treasury's Office of Foreign Assets 
Control (OFAC) Specially Designated Nationals and Blocked Persons List. 
The list includes individuals and entities that financial institutions 
are generally prohibited from conducting transactions with because they 
have been identified as potential terrorists, money launderers, 
international narcotics traffickers, or other criminals. Many 
information resellers offer products to financial institutions that 
screen new customers against the OFAC list; often this screening is 
packaged with identity verification in a single product. (See app. II 
for a sample identity verification and OFAC screening report.) The OFAC 
list is a publicly available government document, but financial 
institutions told us they use resellers for their screening because it 
allows them to do so more quickly and helps distinguish between common 
names on the list that might result in false matches. Some financial 
institutions use resellers to screen new customers against the OFAC 
list, while others periodically screen all of their existing customers. 
Some companies told us they do most of their OFAC screening internally, 
but sometimes use a reseller to gather additional information 
confirming whether a potential match is indeed an individual that is on 
the OFAC list. 

To verify a customer's identity or conduct an OFAC screening, a 
financial institution typically uses a Web-based portal to provide an 
information reseller with basic information about the individual being 
screened--such as the person's name, Social Security number, address, 
driver's license number, phone number, and date of birth. The reseller 
then checks the information against its own records, and typically 
provides a "pass" response if the information matches, or a "fail" 
response if, for example, the date of birth does not match the name. 
Resellers' screening products generally draw on credit header data 
purchased from the credit bureaus, along with publicly available data 
such as address and telephone records and drivers' license records from 
state agencies. Customer verification databases also include 
information that may indicate suspicious activity, such as prison or 
campground addresses, disconnected telephone numbers, and Social 
Security numbers of deceased individuals. 

Preventing and Detecting Fraud: 

The financial institutions we reviewed use information reseller tools 
to assist their fraud prevention and detection efforts. For example, 
banks and credit card companies sometimes use information reseller 
products to authenticate the identity of existing customers who call to 
update or receive account information or to order a replacement credit 
card. Authentication products usually draw on information similar to 
that used for verification products, most commonly credit header data 
and public records. Some resellers offer products that also allow the 
financial institution to access the customers' credit history with 
their permission, which provides additional personal information that 
can be used to verify identity. For example, a customer might be asked 
the year an automobile loan was originated or the credit limit on a 
credit card. 

Fraud departments of financial institutions in our review also use more 
detailed products from information resellers to investigate suspected 
identity theft or account fraud, such as the use of a stolen credit 
card number. (See app. II for a sample fraud investigation report.) In 
these cases, a company's fraud department often purchases from 
information resellers detailed background information on a suspect's 
current and prior residences, vehicles, relatives, aliases, criminal 
records (in certain states), and other information that can be useful 
in directing an investigation. Examples of the uses of fraud products 
offered by resellers include: 

* obtaining detailed personal information about people associated with 
potential fraud, or their relatives and associates; 

* detecting links between individuals who may be co-conspirators in 
fraud or misconduct; 

* identifying multiple insurance claims made by the same person; 

* identifying individuals who are associated with multiple addresses, 
telephone numbers, or vehicles in ways that indicate potential fraud; 

* obtaining contact information for key individuals, such as witnesses 
to car accidents identified in police reports; or: 

* identifying instances where insurance policy applicants have failed 
to disclose certain required information. 

Reducing Risk and Locating Individuals: 

Financial institutions also sometimes use reseller products to help 
identify potential reputational risk or other risks associated with new 
customers or business partners. For example, securities firms told us 
they screen individuals like prospective wealth management clients or 
merger partners to check for a criminal record, disciplinary action by 
securities regulators, negative news media coverage, and known 
affiliation with terrorism, drug trafficking, or organized crime. 

Financial institutions we spoke with also often use information 
resellers to locate individuals. For example, lenders use reseller 
products to find customers who have defaulted on debts, and some mutual 
fund companies use these products to locate lost shareholders. The 
information provided by products used for this purpose is derived 
largely from credit header data, telephone records, and public records 
data, and may include an individual's aliases, addresses, telephone 
numbers, Social Security number, motor vehicle records, as well as the 
names of neighbors and associates. For example, one financial 
institution told us its debt collectors use a ChoicePoint product 
called DEBTOR Discovery to get such information to help locate 
delinquent debtors. 

Some Financial Institutions Use Information Resellers for Marketing: 

Some information resellers offer certain products that help financial 
institutions market their financial products and services to new or 
existing customers with specific characteristics. Databases held by 
resellers offering marketing products include a variety of information 
on individuals and households, such as household size, number and ages 
of children, estimated household income, homeownership status, 
demographic data, and lifestyle interests and activities. These 
databases derive their information from public records as well as 
nonpublic sources such as self-reported marketing surveys, product 
warranty cards, and lists of magazine subscribers, which may be used to 
provide financial institutions and other companies with lists of 
consumers meeting certain criteria.[Footnote 12] For example, a bank 
marketing a college savings account might request the names and 
addresses of all households in certain ZIP codes that have children 
under the age of 18 and household incomes of $100,000 or more. 
Financial institutions we studied also use certain reseller products to 
gather additional information on their existing customers to market 
additional products and services. For example, we spoke with an 
insurance company that used an information reseller to learn which of 
its existing customers owned boats, so those customers could be 
targeted for boat insurance. Similarly, one bank we spoke with used an 
information reseller to help market a sailing credit card to current 
customers who lived near bodies of water. 

Many companies that solicit new credit card accounts and insurance 
policies use nationwide credit bureaus for "prescreening" to identify 
potential customers for the products they offer.[Footnote 13] A lender 
or insurance company establishes criteria, such as a minimum credit 
score, and then purchases from a credit bureau a list of people in the 
bureau's database who meet those criteria. In some cases, the financial 
institution already has a list of potential customers that it provides 
to the credit bureau to identify individuals on the list who meet the 
criteria. Financial institutions sometimes also use a second 
information reseller to help them obtain from a credit bureau a list 
that includes only consumers meeting specific demographic or lifestyle 
criteria. For example, in marketing a home equity line of credit, a 
lender may use a second information reseller to work with a credit 
bureau to identify creditworthy individuals that are also homeowners 
and live in certain geographic areas, to which the lender will then 
make a firm offer of credit. Financial institutions sometimes use data 
from information resellers for models--developed by either the 
institution or the reseller--that seek to predict consumers likely to 
be interested in a new product and unlikely to present a credit risk. 
For example, a firm we spoke with that was marketing credit cards to 
college students used reseller data to determine the characteristics of 
college students that indicate they will be successful credit card 
borrowers. 

Federal Privacy and Information Security Laws Apply to Many Information 
Reseller Products, Depending on Their Use and Source: 

The Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act 
(GLBA) are the primary federal laws governing the privacy and security 
of personal data collected and shared by information resellers. FCRA 
limits resellers' use and distribution of personal data, and allows 
consumers to access the data held on them, but it only applies to 
information collected or used primarily to make eligibility 
determinations. Unless FCRA applies to a product and its database, 
resellers typically provide only limited opportunities for the consumer 
to access, correct, or restrict sharing of the personal data held on 
them. GLBA's privacy provisions restrict the sharing of nonpublic 
personal information collected by or acquired from financial 
institutions, including resellers covered by GLBA's definition of 
financial institution (GLBA financial institutions). Further, GLBA's 
safeguarding provision requires resellers that are GLBA financial 
institutions to safeguard this information. 

Several Federal Privacy and Security Laws Apply to Personal Data Held 
by Information Resellers: 

No single federal law governs the use or disclosure of all personal 
information by private sector companies. Similarly, there are no 
federal laws designed specifically to address all of the products sold 
and data maintained by information resellers.[Footnote 14] Instead, a 
variety of different laws govern the use, sharing, and protection of 
personal information that is maintained for specific purposes or by 
specific types of entities. The two primary federal laws that protect 
personal information maintained by private sector companies are FCRA 
and GLBA. FCRA protects the security and confidentiality of personal 
information that is collected or used to help make decisions about 
individuals' eligibility for, among other things, credit, insurance, or 
employment, while GLBA is designed to protect personal financial 
information that individuals provide to or that is maintained by 
financial institutions. 

In addition to FCRA and GLBA, other federal laws that directly or 
indirectly address privacy and data security may also cover some 
information reseller products.[Footnote 15] The Driver's Privacy 
Protection Act of 1994 regulates the use and disclosure by state motor 
vehicle departments of personal information from motor vehicle 
records.[Footnote 16] Personal motor vehicle records may be purchased 
and sold only for certain purposes--such as insurance claims 
investigations and other anti-fraud activities--unless a state motor 
vehicle agency has received express consent from the individual 
indicating otherwise.[Footnote 17] In addition, the Federal Trade 
Commission Act (FTC Act), enacted in 1914 and amended on numerous 
occasions, gives FTC the authority to prohibit and act against unfair 
or deceptive acts or practices.[Footnote 18] The failure by a 
commercial entity, such as an information reseller, to reasonably 
protect personal information could be a violation of the FTC Act if the 
company's actions constitute an unfair or deceptive act or practice. 
Finally, some federal banking regulators have authority to oversee 
their institutions' third-party service providers to ensure the safety 
and soundness of financial institutions.[Footnote 19] For example, if a 
vendor such as an information reseller did not employ reasonable 
safeguards to maintain a bank's records, federal banking regulators 
could examine the vendor to identify and remedy the risks.[Footnote 20] 

FCRA Applies Only to Consumer Information Used to Determine 
Eligibility: 

The Fair Credit Reporting Act (FCRA), enacted in 1970, protects the 
confidentiality and accuracy of personal information used to make 
certain types of decisions about consumers. Specifically, FCRA applies 
to companies that furnish, contribute to, or use "consumer reports"-- 
reports containing information about an individual's personal and 
credit characteristics used to help determine eligibility for such 
things as credit, insurance, employment, licenses, and certain other 
benefits.[Footnote 21] Businesses that evaluate consumer information or 
assemble such reports for third parties are known as consumer reporting 
agencies, or CRAs. Consumer reports covered by FCRA comprise a 
significant portion of consumer data transactions in the United States. 
For example, according to an industry association that represents CRAs, 
the three nationwide credit bureaus sell over 2.5 billion credit 
reports each year on average. FCRA places certain restrictions and 
obligations on CRAs that issue these reports. For example, the law 
restricts the use of consumer reports to certain permissible purposes, 
such as approving credit, imposes certain disclosure requirements, and 
requires that CRAs take steps to ensure that information in these 
reports is not misused. It also provides consumers with certain rights 
in relation to their credit reports, such as the right to dispute the 
accuracy or completeness of items in the reports. Congress has amended 
FCRA a number of times, most recently with the Fair and Accurate Credit 
Transactions Act of 2003 (FACT Act), which sought to promote more- 
accurate credit reports and expand consumers' access to their credit 
information.[Footnote 22] 

Information resellers are subject to FCRA's requirements only with 
regard to information used to compile consumer reports--that is, 
reports used to help determine eligibility for certain purposes, 
including credit, insurance, or employment. Thus, FCRA applies to 
databases used to compile credit reports sold by the three nationwide 
credit bureaus, and its provisions apply both to the credit bureaus 
themselves as well as to other information resellers that purchase and 
resell credit reports for use by others. FCRA also applies to databases 
used to generate specialty consumer reports--which consist of such 
things as tenant history, check writing history, employment history, 
medical information, or insurance claims--that are used to help make 
eligibility determinations. For example, according to ChoicePoint, FCRA 
applies to the data used in most of its WorkPlace Solutions products, 
which employers use to make hiring decisions. Similarly, according to 
LexisNexis, FCRA applies to its Electronic Bankruptcy Notifier product 
data, which financial institutions use to determine whether to offer 
customers credit or other financial services. Overall, 8 of the 10 
information resellers we spoke with said that at least some of their 
products are consumer reports as defined by FCRA. They said their 
contracts prohibit their customers from using their non-FCRA products 
for purposes related to making eligibility determinations. 

According to the information resellers included in our review, FCRA 
does not cover many databases used to create other products they offer 
because, as defined by the law, the information was not collected for 
making eligibility determinations and the products are not intended to 
be used for making eligibility determinations.[Footnote 23] For 
example, some of the information resellers we spoke with did not treat 
data in some products used to identify and prevent fraud as subject to 
FCRA. Similarly, resellers do not typically consider databases used 
solely for marketing purposes to be covered by FCRA. Because the 
definition of a consumer report under FCRA depends on the purpose for 
which the information is collected and on the reports' intended and 
actual use, an information reseller apparently may have two essentially 
identical databases with only one of them subject to FCRA. 

FCRA also restricts financial institutions and other companies that use 
consumer reports from using them for purposes other than those 
permitted in the law. Financial institutions must also notify consumers 
if they take an adverse action--such as denying an applicant a credit 
card--based on information in a consumer report. Under FCRA, companies 
that furnish information to CRAs also must take steps to ensure the 
accuracy of information they report. Further, users of consumer reports 
must properly dispose of consumer reports they maintain. The law also 
limits financial institutions and other entities from sharing certain 
credit information with their affiliates for marketing purposes. Final 
regulations to implement this statutory limitation have not yet been 
promulgated. 

FCRA Provides Access, Correction, and Opt-Out Rights for Consumer 
Reports: 

FCRA is the primary federal law that provides rights to consumers to 
view, correct, or opt out of the sharing of their personal information, 
including data held by information resellers. Under FCRA, as recently 
amended by the FACT Act, consumers have the right to: 

* obtain all of the information about themselves contained in the files 
of a CRA upon request, including their credit history; 

* receive one free copy of their credit file from nationwide CRAs and 
nationwide specialty CRAs once a year or under certain other 
circumstances;[Footnote 24] 

* dispute information that is incomplete or inaccurate, and have their 
claims investigated and any errors deleted or corrected, as provided by 
the law; and: 

* opt out of allowing CRAs to provide their personal information to 
third parties for prescreened marketing offers.[Footnote 25] 

Most of FCRA's access, correction, and opt-out rights apply not just to 
the three nationwide credit bureaus--Experian, TransUnion, and Equifax-
-but also to other CRAs, including nationwide specialty CRAs that 
provide reports on such things as insurance claims and tenant 
histories. The law imposes slightly different requirements on these 
entities with respect to free annual reports. For example, FCRA's 
implementing regulation requires Experian, TransUnion, and Equifax to 
create a centralized source for accepting consumer requests for free 
credit reports, which must include a single dedicated Web site, a toll- 
free telephone number, and mail directed to a single postal address 
where consumers can order credit reports from all three nationwide 
CRAs.[Footnote 26] Nationwide specialty CRAs are individually required 
to maintain a toll-free number and a streamlined process for accepting 
and processing consumer requests for file disclosures.[Footnote 27] 
Other CRAs must provide consumers with a copy of their report upon 
request (although in most cases they may charge a reasonable fee for 
it), and they must allow consumers to dispute information they believe 
to be inaccurate. In practice, consumers may find it difficult in some 
cases to effectively access and correct information held by nationwide 
specialty CRAs because there may be hundreds of such CRAs and no master 
list exists. For example, job seekers who want to confirm the accuracy 
of information about themselves in background-screening products would 
need to request their consumer reports from the dozens of such 
companies that offer such products. 

Consumers generally do not have the legal right to access or correct 
information about them contained in non-FCRA databases, such as those 
used for marketing purposes or, in some cases, fraud detection. The 
information resellers we studied varied in the extent to which they 
voluntarily provide consumers with additional opportunities to view, 
correct, and opt out of the sharing of information beyond what the law 
requires. The three nationwide credit bureaus allowed consumers to view 
only information that is subject to FCRA. However, three other 
information resellers we spoke with allowed consumers to order summary 
reports of some data maintained about them that was not subject to 
FCRA. These reports varied in length and detail but typically contained 
consumer data obtained from public records, publicly available 
information, and credit header information. Consumers did not typically 
have the right to see data maintained about them related to marketing, 
such as information on their household income, interests, or hobbies, 
which was often obtained from warranty cards or self-reported survey 
questionnaires. 

Information resellers told us that consumers who request correction of 
inaccurate data not covered by FCRA are typically referred to the 
government or private entity that was the source of the data. Many 
resellers told us that because their databases are so frequently 
updated, simply correcting their own databases would not be effective 
because it would soon be refreshed by new erroneous data from the 
original source. However, one reseller told us it has procedures that 
prevent such corrections from being overwritten. Some resellers offered 
limited opportunities for consumers to opt out of their databases even 
for data not covered by FCRA, but they typically allow this only for 
data used for marketing purposes. The five resellers we spoke with that 
maintain personal data used for marketing allowed consumers to request 
that their information not be shared with third parties. None of the 
resellers we spoke with offered all consumers the ability to opt out of 
identity verification or fraud products. They noted that it would 
undermine the effectiveness of the databases if, for example, criminals 
could remove themselves from lists of fraudsters. Some resellers do 
allow opt-out opportunities to certain individuals, such as judges or 
identity-theft victims, who may face potential harm from having their 
information included in reseller databases. 

Industry representatives, consumer advocates, and others offer 
differing views on whether the access, correction, and opt-out rights 
provided under FCRA should be expanded. Many consumer advocates and 
others have argued that these rights should not be limited to consumer 
information used for eligibility purposes, but should explicitly extend 
as well to databases not currently considered by resellers to be 
subject to FCRA, such as those used for some anti-fraud products. 
Proponents of this view argue that basic privacy principles dictate 
that consumers should have the right to know what information is being 
collected and maintained about them. In addition, they argue that 
errors in these databases have the potential to harm consumers. For 
example, an individual could be denied a volunteer opportunity or 
falsely pursued as a crime suspect due to erroneous information in a 
reseller database not covered under FCRA. 

In contrast, some information resellers, financial services firms, and 
law enforcement representatives have argued that providing individuals 
expanded access, correction, and opt-out rights is unnecessary and 
could harm fraud prevention and criminal investigations by providing 
individuals with the opportunity to see and manipulate the information 
that exists about them. They also note that expanding these rights 
could create new regulatory burdens. For example, firms maintaining 
databases for marketing purposes could face substantial costs and 
complications developing and implementing processes for consumers to 
see, challenge, and correct the data held on them. Information 
resellers noted that providing access and correction rights for 
personal information in marketing databases makes little sense because 
the accuracy of this information is much less important than for 
information used to make crucial eligibility decisions. 

GLBA Applies to Information Resellers That Are Financial Institutions 
or Receive Information from Financial Institutions: 

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, limits with certain 
exceptions the sharing of consumer information by financial 
institutions and requires them to protect the security and 
confidentiality of customer information. Further, GLBA limits the reuse 
and redisclosure of the information for those receiving it. GLBA's key 
provisions with regard to information resellers, therefore, cover the 
privacy, reuse, redisclosure, and safeguarding of information. 

GLBA Privacy Provisions: 

GLBA's privacy provisions generally limit financial institutions from 
sharing nonpublic personal information with nonaffiliated companies 
without first providing certain notice and, where appropriate, opt-out 
rights to their own customers and other consumers with whom they 
interact.[Footnote 28] GLBA distinguishes between a financial 
institution's "customers" and other individuals the financial 
institution may interact less with, which the law refers to as 
"consumers." Specifically, a consumer is an individual who obtains a 
financial product or service from a financial institution.[Footnote 29] 
On the other hand, a customer is a consumer who has an ongoing 
relationship with a financial institution. For example, someone who 
engages in an isolated transaction with a financial institution, such 
as obtaining an ATM withdrawal, is a consumer, whereas someone who has 
a deposit account with a bank would be a customer. While some GLBA 
requirements, such as the privacy requirements, apply broadly to cover 
consumer information in many cases, other provisions of GLBA apply only 
to customer information. For example, GLBA's safeguarding requirements 
oblige financial institutions to protect only customer information. 

GLBA requires financial institutions to provide their customers with a 
notice at the start of the customer relationship and annually 
thereafter for the duration of that relationship. The notice must 
describe the company's sharing practices and give customers, and in 
some cases consumers, the right to opt out of some sharing. GLBA 
exempts companies from notice and opt-out requirements under certain 
circumstances. For example, financial institutions and CRAs may share 
personal information for credit-reporting purposes without providing 
opt-out opportunities, and financial institutions and others may also 
share this information to protect against or prevent actual or 
potential fraud and unauthorized transactions.[Footnote 30] Thus, 
financial institutions are not required to provide their customers with 
opt-out rights before reporting their information to credit bureaus or 
sharing their information with information resellers for identity 
verification and fraud purposes. Under another GLBA exception, 
financial institutions are also not required to provide consumers with 
an opportunity to opt out of the sharing of information with companies 
that perform services for the financial institution.[Footnote 31] 

GLBA's privacy provisions apply to information resellers only if (1) 
the reseller is a GLBA "financial institution" or (2) the reseller 
receives nonpublic personal information from such a financial 
institution (see fig. 2). The determination of whether a company is a 
financial institution under GLBA is complex and, for an information 
reseller, depends on whether the company's activities are included in 
implementing regulations issued by FTC. GLBA defines "financial 
institutions" as entities that are in the business of engaging in 
certain financial activities.[Footnote 32] Such activities include, 
among other things, traditional banking services, activities that are 
financial in nature on the FRB list of permissible activities for 
financial holding companies in effect as of the date of GLBA's 
enactment, and new permissible activities.[Footnote 33] While new 
financial activities may be identified, those activities are not 
automatically included in FTC's definition.[Footnote 34] FTC defines 
"financial institutions" as businesses that are "significantly engaged" 
in financial activities.[Footnote 35] For example, FRB's list of 
"financial activities" includes not only the activity of extending 
credit, but also related activities such as credit bureau 
services.[Footnote 36] Thus, the three nationwide credit bureaus are 
considered financial institutions subject to GLBA.[Footnote 37] 

Figure 2: GLBA Privacy Provisions: 

[See PDF for image] 

Source: GAO(analysis), Art Explosion(image). 

[End of figure] 

FTC staff told us that the determination of whether a specific 
information reseller is a financial institution subject to GLBA depends 
on the specific activities of the company. They said they determine 
whether GLBA applies to an entity on a case-by-case basis and that it 
is difficult to generalize what types of information resellers are GLBA 
financial institutions. For example, CRAs other than the three 
nationwide credit bureaus may not necessarily be subject to GLBA if, 
for example, their activities do not fall under FRB's definition of 
credit bureau services or they do not otherwise engage in any financial 
activity included in the 1999 FRB list. Only four resellers with whom 
we spoke--the three nationwide credit bureaus and a specialty CRA that 
collects deposit account information--told us they consider themselves 
financial institutions subject to GLBA's privacy and safeguarding 
provisions. Moreover, we were told that these provisions do not apply 
to the entire company but rather only to those activities of the 
company that are deemed financial in nature. For example, one credit 
bureau told us that its credit reporting activities fall under GLBA, 
but that its marketing products, which are not deemed financial in 
nature, do not fall under GLBA.[Footnote 38] 

GLBA not only limits how financial institutions share nonpublic 
personal information with other companies, but it also restricts what 
those companies subsequently do with the information. Under GLBA's 
"reuse and redisclosure" provision and FTC's implementing rule, 
companies that receive information from a financial institution are 
restricted in how they further share or use that information.[Footnote 
39] If a company receives information under a GLBA exception, then the 
reseller can only reuse and redisclose the information for activities 
that fall under the exception under which the information was 
received.[Footnote 40] Alternatively, if a company receives information 
from a financial institution in a way not covered by an exception-- 
where an individual has been provided with a GLBA notice and has chosen 
not to opt out of sharing--then the information may be reused and 
redisclosed in any way the original financial institution would have 
been permitted.[Footnote 41] 

As noted earlier, the nationwide credit bureaus sell credit header 
data--identifying information at the top of a credit report--to other 
information resellers for use in fraud prevention products. 
Representatives of two of the credit bureaus and their industry 
association told us that because credit header data contains 
information from financial institutions, it is subject to GLBA's reuse 
and redisclosure provisions. As a result, the credit bureaus can only 
sell credit header data under the same GLBA exception under which they 
received it. Credit bureau representatives said they receive the 
information from financial institutions under both the consumer 
reporting and fraud prevention exceptions, and then sell it under the 
fraud prevention exception. 

Also, some old credit header data may not be subject to GLBA at all. 
Prior to GLBA's enactment in 1999, credit header information sold by 
credit bureaus--which included names, addresses, aliases, and Social 
Security numbers--could be used or resold by a third party for any 
purpose, as long as the information was not used to make eligibility 
determinations. GLBA placed restrictions on the sale of such nonpublic 
personal information maintained by GLBA financial institutions. 
Further, as noted earlier, reuse and redisclosure of the information is 
also restricted by GLBA. The law's privacy restrictions generally 
became fully effective on July 1, 2001.[Footnote 42] A nationwide 
credit bureau told us that the restrictions did not apply retroactively 
to credit header data that credit bureaus already held at the time of 
GLBA's enactment in 1999. The nationwide credit bureau said that just 
prior to GLBA's enactment, it created a new database containing "pre- 
GLBA" credit header data and transferred those data to a separate 
affiliated company.[Footnote 43] The company told us that because it 
gathered these data prior to GLBA's enactment, the data are not subject 
to GLBA's privacy and safeguarding provisions. 

GLBA Safeguarding Provisions: 

The safeguarding provisions of GLBA require financial institutions to 
take steps to ensure the security and confidentiality of their 
customers' nonpublic personal information.[Footnote 44] Specifically, 
the agency regulations provide that financial institutions must develop 
comprehensive written policies and procedures to ensure the security 
and confidentiality of customer records and information, protect 
against any anticipated threats or hazards to the security or integrity 
of such records, and protect against unauthorized access to or use of 
such records or information that could result in substantial harm or 
inconvenience to any customer.[Footnote 45] Although the privacy 
provisions of GLBA apply broadly to financial institutions' consumers, 
GLBA's safeguarding requirements only establish obligations on 
financial institutions to protect their customer information. 

Only information resellers defined as financial institutions under the 
law are required to implement these safeguards. Several of the 
information resellers we spoke with noted that although GLBA does not 
apply to all of their products, they have policies and procedures to 
protect all of their information in a way consistent with GLBA's 
safeguarding requirements. Unlike GLBA's notice and opt-out 
requirements (privacy requirements), the law's safeguarding provisions 
do not directly extend to third-party companies that receive personal 
information from financial institutions. However, federal agencies' 
provisions implementing GLBA safeguarding rules require financial 
institutions to monitor the activities of their service providers and 
require them by contract to implement and maintain appropriate 
safeguards for customer information.[Footnote 46] 

Many commercial entities--including many information resellers--are not 
subject to GLBA and therefore are not explicitly required by a federal 
statute to have in place policies and procedures to safeguard 
individuals' personal data. This raises concerns given that identity 
theft has emerged as a serious problem and that breaches of sensitive 
personal data have occurred at a variety of companies that are not 
financial institutions. For example, in 2005, BJ's Wholesale Club, 
which is not considered a GLBA financial institution, settled FTC 
charges that it engaged in an unfair or deceptive act or practice in 
violation of the FTC Act by failing to take appropriate security 
measures to protect the sensitive information of thousands of its 
customers.[Footnote 47] FTC alleged that the company's failure to 
secure sensitive information was an unfair practice because it caused 
substantial injury not reasonably avoidable by consumers and not 
outweighed by offsetting benefits to consumers or competition. Some 
policymakers, consumer advocates, and industry representatives have 
advocated explicit statutory requirements that would expand more 
broadly the number and types of companies that must safeguard their 
data. Had there been a statutory requirement for BJ's Wholesale Club to 
safeguard sensitive information, FTC would have had authority to file a 
complaint based on the company's failure to safeguard information. 
Expanding the class of entities subject to safeguarding laws would 
impose explicit data security provisions on a larger group of 
organizations that are maintaining sensitive personal information. FTC 
has testified that should Congress enact new data security 
requirements, FTC's safeguards rule should serve as a model for an 
effective enforcement standard because it provides sufficient 
flexibility to apply to a wide range of companies rather than mandate 
specific technical requirements that may not be appropriate for all 
entities.[Footnote 48] To be most effective, new data security 
provisions would need to apply both to customer and noncustomer data 
because the nature of information reseller businesses is such that they 
hold large amounts of sensitive personal information on individuals who 
are not their customers. 

No Federal Statute Requires Notification of Data Breaches: 

Currently, there is no federal statute requiring information resellers 
or most other companies to disclose breaches of sensitive personal 
information, although at least 32 states have enacted some form of 
breach notification law.[Footnote 49] Policymakers and consumer 
advocates have raised concerns that federal law does not always require 
companies to reveal instances of the theft or loss of sensitive data. 
These concerns have been triggered in part by increased public 
awareness of the problem of identity theft and by a large number of 
data breaches at a wide variety of public and private sector entities, 
including major financial services firms, information resellers, 
universities, and government agencies. In 2005, ChoicePoint 
acknowledged that the personal records it held on approximately 162,000 
consumers had been compromised. As part of a settlement with the 
company in January 2006, FTC alleged that ChoicePoint did not have 
reasonable procedures to screen prospective subscribers to its data 
products, and provided consumers' sensitive personal information to 
subscribers whose applications should have raised obvious 
suspicions.[Footnote 50] A December 2005 report by the Congressional 
Research Service noted that personal data security breaches were 
occurring with increasing regularity, and listed 97 recent breaches, 
five of which had occurred at information resellers.[Footnote 51] Data 
breaches are not limited to private sector entities, as evidenced by 
the theft discovered in May 2006 of electronic data of the Department 
of Veterans Affairs containing identifying information for millions of 
veterans. 

Congress has held several hearings related to data breaches, and a 
number of bills have been introduced that would require companies to 
notify individuals when such breaches occur.[Footnote 52] The bills 
vary in many ways, including differences in who must be notified, the 
level of risk that triggers a notice, the nature of the notification, 
exceptions to the requirement, and the extent to which federal law 
preempts state law. Breach notification requirements have two primary 
benefits. First, they provide companies or other entities with 
incentives to follow good security practices so as to avoid the legal 
liability or public relations risks that may result from a publicized 
breach of customer data. Second, consumers who are informed of a breach 
of their personal data can take actions to mitigate potential risk, 
such as reviewing the accuracy of their credit reports or credit card 
statements. However, FTC and others have noted that any federal 
requirements should ensure that customers receive notices only when 
they are at risk of identity theft or other related harm. To require 
notices when consumers are not at true risk could create an undue 
burden on businesses that may be required to provide notices for minor 
and insignificant breaches. It could also overwhelm consumers with 
frequent notifications about breaches that have no impact on them, 
reducing the chance they will pay attention when a meaningful breach 
occurs. At the same time, consumer and privacy groups and other parties 
have warned against imposing too weak of a trigger for notification, 
and expressed concerns that a federal breach notification law could 
actually weaken consumers' security if it were to preempt stronger 
state laws.[Footnote 53] 

FTC Has Primary Responsibility for Enforcing Information Resellers' 
Compliance with Privacy and Information Security Laws: 

The Federal Trade Commission is the federal agency with primary 
responsibility for enforcing applicable privacy and information 
security laws for information resellers. Since 1972, FTC has initiated 
numerous formal enforcement actions against information resellers for 
providing consumer report information without adequately ensuring that 
their customers had a permissible purpose for obtaining the data. FTC 
has civil penalty authority for violations of FCRA and, in limited 
situations, the FTC Act, but it does not have such authority for GLBA, 
which may inhibit its ability to most effectively enforce that law's 
privacy and security provisions. 

FTC Has Primary Federal Enforcement Authority over Information 
Resellers: 

FTC enforces the privacy and security provisions of FCRA and GLBA over 
information resellers. FCRA provided FTC with enforcement authority for 
nearly all companies not supervised by a federal banking 
regulator.[Footnote 54] Similarly, GLBA provided FTC with rule-making 
and enforcement authority over all financial institutions and other 
entities not under the jurisdiction of the federal banking regulators, 
NCUA, SEC, the Commodity Futures Trading Commission, or state insurance 
regulators.[Footnote 55] In addition, the FTC Act provides FTC with the 
authority to investigate and take administrative and civil enforcement 
actions against most commercial entities, including information 
resellers, that engage in unfair or deceptive acts or practices in or 
affecting commerce. According to FTC officials, an information reseller 
could violate the FTC Act if it mishandled personal information in a 
way that rose to the level of an unfair or deceptive act or practice. 

State regulators also play a role in enforcing data privacy and 
security laws. FCRA provides enforcement authority to a state's chief 
law enforcement officer, or any other designated officer or agency, 
although federal agencies have the right to intervene in any state- 
initiated action.[Footnote 56] In addition, GLBA allows states to 
enforce their own information security and privacy laws, including 
those that provide greater protections than GLBA, as long as the state 
laws are not inconsistent with requirements under the federal law. 
Several states, including Connecticut, North Dakota, and Vermont, have 
enacted restrictions on the sharing of financial information that are 
stricter than GLBA.[Footnote 57] States can also enforce their own laws 
related to unfair or deceptive acts or practices to the extent the laws 
do not conflict with federal law. 

FTC Has Investigated and Initiated Formal Enforcement Actions against 
Information Resellers for FCRA and FTC Act Violations: 

Since 1972, FTC has initiated numerous formal enforcement actions 
against at least 20 information resellers for violating FCRA and, in 
some cases, the FTC Act.[Footnote 58] All of these companies were CRAs, 
and they included the three nationwide credit bureaus as well as a 
variety of types of specialty CRAs.[Footnote 59] In most of these 
cases, FTC charged that the companies provided consumer report 
information without adequately ensuring that their customers had a 
permissible purpose for obtaining the data. In many cases, FTC alleged 
the companies sold consumer reports to users they had no reason to 
believe intended to use the information legally, or didn't require the 
users to identify themselves and certify in writing the purposes for 
which they wished to use the reports. In addition, some companies' 
reports allegedly included significant inaccuracies or obsolete 
information; some companies also failed to reinvestigate disputed 
information within a reasonable period of time.[Footnote 60] 

Among the most significant of these FTC enforcement actions against 
information resellers are the following: 

* In 1995, FTC settled charges with Equifax Credit Information 
Services, the credit bureau subsidiary of Equifax Inc., for alleged 
violations of FCRA. FTC alleged that the company furnished consumer 
reports to individuals without a permissible purpose, included 
derogatory information in consumer reports that should have been 
excluded after it was disputed by the consumer, and failed to take 
steps to reduce inaccuracies in reports and reinvestigate disputed 
information. The consent agreement required Equifax to take steps to 
improve the accuracy of its consumer reports and limit the furnishing 
of such reports to those with a permissible purpose under 
FCRA.[Footnote 61] 

* In 2000, FTC ordered the TransUnion Corporation, a nationwide credit 
bureau, to stop selling consumer reports in the form of target 
marketing lists to marketers who lack an authorized purpose under FCRA 
for receiving them. The company had been selling mailing lists of the 
names and addresses of consumers meeting certain credit-related 
criteria (such as having certain types of loans). FTC found that the 
lists were consumer reports and that the lists therefore could not be 
sold for target marketing purposes.[Footnote 62] 

* In January 2006, FTC settled charges against ChoicePoint that its 
security and record-handling procedures violated federal laws with 
respect to consumers' privacy. FTC had alleged the company violated 
FCRA by providing sensitive personal information to customers despite 
obvious indications that the information would not be used for a 
permissible purpose. For example, ChoicePoint allegedly approved as 
customers individuals who subscribed to data products for multiple 
businesses using fax machines in public commercial locations. FTC also 
charged that the company violated the FTC Act by making false and 
misleading statements in its privacy policy, which said it provided 
consumer reports only to businesses that complete a rigorous 
credentialing process. Under the terms of the settlement, ChoicePoint 
agreed to pay $10 million in civil penalties--the largest civil penalty 
in FTC history--and to provide $5 million in consumer redress.[Footnote 
63] ChoicePoint did not admit to a violation of law in settling the 
charges. A company representative told us it has taken steps since the 
breach to enhance its customer screening process and to assist affected 
consumers. 

FTC Cannot Levy Civil Penalties for GLBA Information Privacy and 
Security Violations: 

FTC is the primary federal agency monitoring information resellers' 
compliance with privacy and security laws, but it is a law enforcement 
rather than supervisory agency. Unlike federal financial institution 
regulators, which oversee a relatively narrow class of entities, FTC 
has jurisdiction over a large and diverse group of entities and 
enforces a wide variety of statutes related to antitrust, financial 
regulation, consumer protection, and other issues. FTC's mission and 
resource allocations focus on conducting investigations and, unlike 
federal financial regulators, FTC does not routinely monitor or examine 
the companies over which it has jurisdiction. 

If FTC has reason to believe that violations of laws under its 
jurisdiction have taken place, it may initiate a law enforcement 
action. Under its statutory authority, it can ask or compel companies 
to produce documents, testimony, and other materials. FTC may in 
administrative proceedings issue cease and desist orders for unfair or 
deceptive acts or practices. Further, FTC generally may seek from the 
United States district courts a wide range of remedies, including 
injunctions, damages to compensate consumers for their actual losses, 
and disgorgement of ill-gotten funds.[Footnote 64] Depending on the law 
it is enforcing, FTC may also seek to obtain civil penalties--monetary 
fines levied for a violation of a civil statute or regulation. 

Although FTC has civil penalty authority for violations of FCRA and in 
limited situations the FTC Act, GLBA's privacy and safeguarding 
provisions do not give it such authority.[Footnote 65] Currently, FTC 
may seek an injunction to stop a company from violating these 
provisions and may seek redress--damages to compensate consumers for 
losses--or disgorgement. However, determining the appropriate amount of 
consumer compensation requires having information on who and how many 
consumers were affected and the harm, in monetary terms, that they 
suffered. This can be extremely difficult in the case of security and 
privacy violations, such as data breaches. Such breaches may lead to 
identity theft, but FTC staff told us that they may not be able to 
identify exactly which individuals were victimized and to what extent 
they were harmed--particularly in cases where the potential identity 
theft could occur years in the future. FTC could benefit from having 
the authority to impose civil penalties for violations of GLBA's 
privacy and safeguarding provisions because such penalties may be more 
practical enforcement tools for violations involving breaches of mass 
consumer data. FTC has testified that such authority is often the most 
appropriate remedy in such cases, and staff told us it could more 
effectively deter companies from violating provisions of GLBA. Unlike 
FTC, other regulators have civil penalty authority to enforce 
violations of GLBA. For example, OCC told us it can enforce GLBA 
privacy and safeguard provisions with civil money penalties against any 
insured depository institution or institution-affiliated 
party.[Footnote 66] 

Agencies Differ in Their Oversight of the Privacy and Security of 
Personal Information at Financial Institutions: 

In enforcing privacy and security requirements, federal regulators do 
not distinguish between the data that regulated entities obtain from 
information resellers and other personal information these entities 
maintain. Federal banking regulators have overseen compliance with the 
privacy and security provisions of GLBA and FCRA by issuing rules and 
guidance, conducting examinations, and taking formal and informal 
enforcement actions when needed. Securities and insurance regulators 
enforce GLBA information privacy and security requirements in a similar 
fashion, but FTC is responsible for FCRA enforcement among these firms. 
FTC is also responsible for GLBA and FCRA enforcement for financial 
services firms not supervised by another regulator and has initiated 
several enforcement actions, though it does not conduct routine 
examinations. Credit union, securities, and insurance regulators told 
us that unlike most of the banking regulators, they do not have full 
authority to examine their entities' third-party service providers, 
including information resellers. 

Financial Institutions and Their Regulators Said They Do Not 
Distinguish between Data from Information Resellers and Other Sources: 

The information privacy and security provisions of GLBA and FCRA 
provide several federal and state agencies with authority to enforce 
the laws' provisions for financial institutions. As shown in figure 3, 
GLBA assigns federal banking and securities regulators and state 
insurance regulators with enforcement responsibility for the financial 
institutions they oversee, and FTC has jurisdiction for all other 
financial institutions. FCRA similarly assigns the federal banking 
regulators authority over the institutions they oversee and FTC with 
jurisdiction over other entities.[Footnote 67] FCRA assigns FTC with 
enforcement responsibility for securities and insurance companies and 
provides securities and insurance regulators with no statutory 
responsibilities to enforce FCRA.[Footnote 68] 

Figure 3: Enforcement Responsibilities for Selected Financial 
Institutions under FCRA and GLBA: 

[See PDF for image] 

Source: GAO. 

Notes: The Commodity Futures Trading Commission, which was not 
identified as a functional regulator by GLBA, is nevertheless 
responsible for enforcing information privacy and security requirements 
among futures commission merchants, commodity trading advisers, 
commodity pool operators, and introducing brokers subject to its 
jurisdiction. See 7 U.S.C. § 7b-2. 

[A] NCUA enforces GLBA at all federally insured credit unions and FCRA 
at all federally chartered credit unions. FTC has enforcement authority 
for all other credit unions not subject to NCUA's jurisdiction. 

[B] SEC is responsible for enforcing GLBA compliance for investment 
advisers registered with SEC; FTC is responsible for enforcement at all 
other investment advisers. 

[C] FTC is responsible for enforcing FCRA at securities firms and 
insurance companies, but it is not a supervisory agency and does not 
conduct routine examinations. 

[End of figure] 

Financial regulators told us that in their oversight of companies' 
compliance with privacy laws, they generally do not distinguish between 
data obtained from information resellers versus other sources. The 
nonpublic personal information maintained by financial institutions 
includes both data they collect directly from their customers as well 
as data purchased from information resellers, such as credit reports or 
marketing lists. Banking and securities regulators told us their 
efforts to oversee the privacy and security of nonpublic personal 
information do not focus in particular on data that came from 
information resellers but rather look holistically at a financial 
institution's information security and compliance with applicable laws. 
For example, OCC and FRB officials said their examiners enforce the 
privacy and safeguarding requirements of GLBA and FCRA regardless of 
whether the source of the data is an information reseller, a customer, 
or other source. 

GLBA's safeguarding requirements apply only to nonpublic personal 
information that financial institutions maintain on their customers and 
not to information they maintain about other consumers (noncustomers). 
However, representatives of financial institutions we interviewed said 
that as a matter of policy, they generally apply the same information 
safeguards to both customer and consumer information. They said that 
their information safeguards focus on the sensitivity of the 
information rather than whether the person is a customer. For example, 
files containing Social Security numbers would have more stringent 
safeguards than those containing only names and addresses. Officials of 
a global investment banking and brokerage firm told us that although 
their firm maintains separate databases on customers and consumers 
targeted for marketing, both databases use the higher security standard 
required for customer information. Another company with similar 
practices noted that it treats all information with higher standards 
rather than setting up many different safeguarding policies and 
procedures. Other companies noted that public relations and 
reputational risk concerns motivate them to maintain high safeguards to 
prevent any consumer information from being lost or stolen. Similarly, 
federal banking regulators told us that failing to safeguard consumer 
information may not be a violation of GLBA but is still taken very 
seriously because it represents a threat to a bank's safety and 
soundness, poses reputational risks, and reflects a weakness in a 
bank's corporate governance. 

Federal Banking Agencies Provide Guidance and Examine Regulated Banking 
Organizations for GLBA and FCRA Compliance: 

The banking regulators responsible for GLBA and FCRA enforcement have 
issued regulations and other guidance on information privacy and 
security requirements. The individual banking regulators examine the 
financial institutions under their jurisdiction for compliance with 
GLBA and FCRA information privacy and safeguarding requirements and 
have taken enforcement actions for violations. 

Regulations and Other Guidance: 

The banking agencies acting jointly and individually, and in 
coordination with FTC, have issued regulations and other guidance for 
financial institutions to follow in implementing the privacy and 
safeguarding requirements of GLBA.[Footnote 69] In 2000, following the 
law's passage, the banking agencies--OCC, FRB, OTS, FDIC, and NCUA-- 
issued rules for compliance with the law's information privacy 
requirements.[Footnote 70] These rules helped financial institutions 
implement GLBA's notice and opt-out requirements. For example, they 
provided examples of types of information regulated by GLBA. In 2001, 
the agencies jointly issued guidelines establishing standards for 
GLBA's safeguarding requirements to assist financial institutions in 
establishing administrative, technical, and physical safeguards for 
customer information as required by law.[Footnote 71] In addition to 
the guidelines that implement GLBA safeguarding requirements, these 
regulators have in some cases issued guidance to provide further 
assistance to their institutions. For example, the banking agencies 
issued a guide on small entities' compliance with GLBA's privacy 
provision to help companies identify and comply with the requirements. 
The banking agencies also have issued additional written interagency 
guidance for financial institutions relating to notification of their 
customers in the event of unauthorized access to their information 
where misuse of the information has occurred or is reasonably 
possible.[Footnote 72] 

The banking regulators have also issued rules and regulations for their 
institutions to implement certain provisions of the Fair and Accurate 
Credit Transactions Act of 2003 (FACT Act), which amends FCRA.[Footnote 
73] For example, in 2004, in coordination with FTC, these agencies 
issued a final rule to implement the FACT Act requirement that persons, 
including financial institutions, properly dispose of consumer report 
information and records.[Footnote 74] Some provisions--such as 
restrictions on how financial institutions can share data with their 
affiliates for marketing purposes--have yet to be finalized by the 
banking or other agencies. 

Through the Federal Financial Institutions Examination Council (FFIEC)-
-a formal interagency body comprising representatives from OCC, OTS, 
FRB, FDIC, and NCUA that coordinates examination standards and 
procedures for their institutions--the banking agencies have also 
issued guidance to help bank examiners oversee the integrity of 
information technology at their institutions. For example, FFIEC 
developed the FFIEC IT Examination Handbook, which is composed of 12 
booklets designed to help examiners and organizations determine the 
level of security risks at financial institutions and evaluate the 
adequacy of the organizations' risk management. Representatives of 
banking regulators say their examiners rely on these booklets in 
addition to the GLBA and FCRA guidance when examining the integrity of 
an institution's information privacy and security procedures. Some of 
these booklets help examiners oversee financial institutions' use of 
information resellers and other third-party technology service 
providers by addressing topics such as banks' outsourcing of technology 
services, or banks' supervision of its technology service providers. 
Financial institution regulators told us their examiners use these 
booklets to oversee the soundness of their institutions' technology 
services and to address information security issues posed by third- 
party technology service providers such as information resellers. 

Examinations and Enforcement Actions: 

Banking regulators regularly examine regulated banks, thrifts, and 
credit unions for compliance with GLBA and FCRA requirements.[Footnote 
75] Each regulatory agency told us that their agencies' safety and 
soundness, compliance, and information technology examinations include 
checks on whether their institutions are in compliance with GLBA's and 
FCRA's provisions related to the privacy and security of personal 
information. For example, OCC examination procedures tell examiners to 
review banks' monitoring systems and procedures to detect actual and 
attempted attacks on or intrusions into customer information systems. 
However, the scope of the regulators' reviews with regard to privacy 
and security matters can vary depending on the degree of risk 
associated with the institution examined. 

According to the banking agencies, their examinations of institutions' 
GLBA and FCRA compliance have discovered limited material deficiencies 
and violations requiring formal enforcement actions. Instead, they have 
mostly found various weaknesses that they characterized as technical in 
nature and required informal corrective action.[Footnote 76] FDIC 
officials said that between 2002 and 2005, the agency took 12 formal 
enforcement actions for GLBA violations and no formal enforcement 
actions under FCRA. They noted that FDIC has also taken informal 
enforcement actions to correct an institution's overall compliance 
management system, which covers all of the consumer protection statutes 
and regulations in the examination scope. 

According to OCC officials, between October 1, 2000, and September 30, 
2005, the agency took 18 formal enforcement actions under GLBA and no 
formal enforcement actions under FCRA. OCC's actions in these cases 
resulted in outcomes such as cease and desist orders and civil money 
penalties levied against violators. The agency also informally required 
banks to take corrective action in several instances, such as requiring 
a bank to notify customers whose accounts may have been compromised, or 
requiring a bank to correct and reissue its initial privacy notice. 
According to OCC staff, OCC's examinations for compliance with GLBA's 
privacy requirements most commonly found that banks' initial privacy 
notices were not clear and conspicuous, and its examinations for 
compliance with GLBA's safeguarding requirements most commonly found 
cases of inadequate customer information programs, risk assessment 
processes, testing, and reports to the board. 

FRB officials said the agency has taken 12 formal enforcement actions 
in the past 5 years for violations of GLBA's information-safeguarding 
standards and no formal actions for FCRA violations. They said FRB has 
taken several informal enforcement actions, including three related to 
violations of Regulation P, which implements GLBA's privacy 
requirements, and five informal actions for violations of FCRA. 
According to FRB staff, FRB's examinations for compliance with the 
interagency information security standards have found cases of 
inadequate customer information security programs, board oversight, and 
risk assessments, as well as cases of incomplete assessment of physical 
access controls and safeguarding of the transmission of customer data. 
The most commonly found problem in FRB's examinations for compliance 
with Regulation P was banks' failure to provide clear and conspicuous 
initial notices of their privacy policies and procedures. With regard 
to FCRA compliance, the violations cited most frequently were the 
failure to provide notices of adverse actions based on information 
contained in consumer reports or obtained from third parties. 

Securities Regulators Oversee GLBA Compliance of Securities Firms: 

SEC, NASD, and NYSE Regulation oversee securities industry 
participants' compliance with GLBA's privacy and information 
safeguarding requirements. Similar to the banking agencies, they have 
issued rules and other guidance, conducted examinations of firms' 
compliance with federal securities laws and regulations, and, if 
appropriate, taken enforcement actions. 

Regulations and Other Guidance: 

In June 2000, SEC adopted Regulation S-P, which implements GLBA's Title 
V information privacy and safeguarding requirements among the broker- 
dealers, investment companies, and SEC-registered investment advisers 
subject to SEC's jurisdiction.[Footnote 77] Regulation S-P contains 
rules of general applicability that are substantively similar to the 
rules adopted by the banking agencies. In addition to providing general 
guidance, Regulation S-P contains numerous examples specific to the 
securities industry to provide more meaningful guidance to help firms 
implement its requirements. For example, the rule provides detailed 
guidance on the provision covering privacy and opt-out notices when a 
customer opens a brokerage account. It also contains a section 
regarding procedures to safeguard information, including the disposal 
of consumer report information.[Footnote 78] 

Since Regulation S-P was adopted, SEC staff have issued additional 
written guidance in the form of Staff Responses to Questions about 
Regulation S-P. According to SEC staff, companies also receive feedback 
on Regulation S-P compliance during the examination process, as well as 
during telephone inquiries made to SEC offices. However, unlike the 
federal banking agencies, SEC has issued no additional written guidance 
on institutions notifying customers in the event of unauthorized access 
to customer information. SEC staff said they are considering possible 
measures that would address information security programs in more 
detail, including the issue of how to respond to security breaches. 

Examinations and Enforcement Actions: 

SEC has examined registered firms for Regulation S-P compliance. SEC 
staff said compliance with Regulation S-P was a focus area in SEC 
examinations during the first 1 to 1½ years after July 2001, when it 
became effective. During this period, Regulation S-P compliance was 
reviewed in 858 broker-dealer examinations, of which 105 resulted in 
findings.[Footnote 79] Also, during this period, Regulation S-P 
compliance was reviewed in 1,174 investment adviser examinations, of 
which 128 resulted in findings, and 218 investment company 
examinations, of which 17 resulted in findings. 

SEC staff said that more recently SEC has adopted a risk-based approach 
to determine the depth of a review of compliance with Regulation S-P. 
Under this approach, an initial review of compliance with Regulation S- 
P is done to determine if a closer look is warranted. During the past 
2½ years, compliance with Regulation S-P was reviewed in 1,891 
investment adviser examinations, of which 301 resulted in findings, and 
257 investment company examinations, of which 20 resulted in findings. 
SEC staff said they had not broken out separate Regulation S-P 
examination findings of broker-dealer examinations for this period and 
could not provide those numbers. They said the most common deficiencies 
were failure to provide privacy notices, no or inadequate privacy 
policy, and no or inadequate policies and procedures for safeguarding 
customer information. SEC staff said they had not found any 
deficiencies during their exams that warranted formal enforcement 
actions. They told us they have dealt with Regulation S-P compliance 
more as a supervisory matter and required registrants to resolve 
deficiencies without taking formal actions. 

SEC staff also said that SEC is now conducting a special review 
coordinated with NYSE Regulation looking at how broker-dealers are 
outsourcing certain functions that involve customer information. They 
said they are concerned with how registrants are managing the 
outsourcing process, including, among other things, due diligence in 
contractor selection, monitoring contractor performance, and disaster 
recovery/business continuity planning. 

NASD and NYSE Regulation Oversee Compliance of Member Broker-Dealers: 

NASD and NYSE Regulation also oversee Regulation S-P compliance among 
member broker-dealers. According to NASD officials, NASD took a two- 
pronged approach to ensure that its members understand their 
obligations under Regulation S-P and comply with its requirements. 
First, NASD issued guidance to its members regarding requirements of 
the regulation. For example, when Regulation S-P was adopted, NASD 
issued guidance to facilitate compliance by providing a notice designed 
to inform and educate its members about Regulation S-P.[Footnote 80] In 
the summer of 2001, NASD issued an article setting forth questions and 
answers regarding Regulation S-P and reminding members of the mandatory 
compliance deadline.[Footnote 81] In July 2005, NASD issued another 
notice reminding members of their obligations relating to the 
protection of customer information.[Footnote 82] Second, according to 
NASD officials, NASD conducts routine examinations--approximately 2,500 
per year--to check compliance with NASD rules and the federal 
securities laws, including Regulation S-P. Examiners check compliance 
with Regulation S-P using a risk-based approach in which examiners 
review certain information such as supervisory review procedures to 
assess the controls that exist at a firm. Depending on its findings, 
NASD determines whether to inspect in more detail the firm's Regulation 
S-P policies and procedures to ensure they are reasonably designed to 
achieve compliance with Regulation S-P, including its safeguarding and 
privacy requirements. Regulation S-P compliance was reviewed in 4,760 
NASD examinations of broker-dealers between October 1, 2000, and 
September 30, 2005. These examinations resulted in 502 informal actions 
and two formal actions--called Letters of Acceptance, Waiver, and 
Consent--for Regulation S-P violations. According to NASD, in one 
formal action, it censured and fined the respondents a total of 
$250,000 for various violations related to their failure to establish 
supervisory procedures and devote sufficient resources to supervision, 
including Regulation S-P compliance. In the other action, according to 
NASD, it censured and fined the firm and a principal associated person 
$28,500 and suspended the person for 30 days for failing to provide 
privacy notices to its customers and for several other non-privacy- 
related violations. 

Similarly, NYSE Regulation issued guidance on Regulation S-P to its 
member firms and sent its members an information memo reminding them of 
Regulation S-P requirements shortly before they became 
mandatory.[Footnote 83] NYSE Regulation's Sales Practice Review Unit 
conducts examinations of member firms' compliance with Regulation S-P 
and other privacy requirements on a 1-, 2-or 4-year cycle, or when the 
member firm is otherwise deemed to be at a certain level of risk. 

State Insurance Regulators Require Insurers to Comply with Information 
Privacy and Security Provisions, but Enforcement May Be Limited: 

GLBA designates state insurance regulators as the authorities 
responsible for enforcement of its information privacy and safeguarding 
provisions among insurance companies. The individual states are 
responsible for enforcing GLBA with respect to insurance companies 
licensed in the state, and they may issue regulations.[Footnote 84] The 
National Association of Insurance Commissioners (NAIC) has issued model 
rules to guide states in developing programs to enforce GLBA 
requirements and has sponsored a multistate review of insurance 
companies' performance in this regard. 

NAIC Has Developed Model GLBA Privacy and Safeguarding Rules, but Not 
All States Have Adopted GLBA Regulations: 

NAIC has developed two model rules for states to use in developing 
regulations or laws to implement the GLBA information privacy and 
safeguarding provisions among the insurance companies they regulate. 
The first model rule, the Privacy of Consumer Financial and Health 
Information Regulation, issued in 2000, includes notice and opt-out 
requirements relating to insurance entities, and can be used by states 
as models for state laws and regulations. An August 2005 NAIC analysis 
showed that all states and the District of Columbia had adopted 
insurance laws or regulations to implement GLBA's requirements related 
to the privacy of financial information.[Footnote 85] 

The second model rule, the Standards for Safeguarding Customer 
Information Model Regulation, issued in 2002, establishes standards for 
developing and implementing administrative, technical, and physical 
safeguards to protect the security, confidentiality, and integrity of 
customer information. In contrast to the privacy model, an October 2005 
NAIC analysis showed that 17 states had yet to adopt a law or 
regulation setting standards for safeguarding customer information. In 
April 2002, GAO reported that insurance customer information and 
records in states that had not established safeguards may not be 
subject to a consistent level of legal protection envisioned by GLBA's 
privacy provisions.[Footnote 86] 

Individual State Insurance Regulators Have Not Consistently Examined 
for Privacy and Security Compliance: 

Individual state insurance regulators have procedures for examining 
companies for compliance with information privacy and safeguarding 
requirements, but do not routinely do so. According to an NAIC 
official, NAIC's Market Conduct Examiners Handbook contains detailed 
examination procedures for reviewing information privacy requirements 
and its Financial Examiners Handbook has a segment devoted to security 
of computer-based systems. He said the individual state regulators can 
examine for compliance with privacy requirements as part of their 
comprehensive examinations of companies, but that states are focusing 
less on conducting comprehensive examinations and more on targeted 
examinations. As a result of a lack of complaints regarding privacy 
matters, however, he said the states are probably doing few targeted 
examinations of compliance with privacy requirements. 

To forestall possible multiple, overlapping, and inconsistent 
examinations by numerous states, NAIC in 2005 sponsored a multistate 
review to gather information on insurance companies' compliance with 
GLBA privacy and safeguarding provisions. The review team, led by the 
District of Columbia's Department of Insurance, Securities and Banking 
(DISB), with the participation of 19 states, covered more than 100 of 
the largest insurance groups, representing about 800 insurance 
companies operating in the United States.[Footnote 87] The review team 
administered a survey questionnaire, reviewed each insurer's responses 
to the questionnaire, and subsequently held conferences with 
representatives of the insurer. The review resulted in: 

* 22 findings related to the risk assessment process, including failure 
to work toward a formalized assessment process to identify risks of 
internal and external threats and hazards to the safeguarding, 
confidentiality, and integrity of information; 

* 18 findings related to GLBA's requirements for information storage, 
transmission, and integrity; 

* 16 findings related to the delivery of privacy notices (although 12 
of those findings related to the provision of the initial notice rather 
than recurring findings); and: 

* no findings related to GLBA procedures for providing opt-out 
notifications or procedures for collecting opt-out elections. 

These findings were similar to those of other financial regulators' 
examinations of GLBA compliance. However, unlike the other regulators, 
state insurance regulators do not have comparable examination programs 
to follow up to ensure that such findings are corrected and do not 
become more numerous. The DISB qualified the scope of its survey by 
noting that it did not include (1) a review of the insurer's efforts 
with respect to remediation activities, (2) a detailed analysis of the 
effectiveness of the insurer's plans to correct privacy problems or to 
protect the business against the consequences associated with any 
privacy-related occurrences, or (3) a determination of steps the 
insurer must take to become privacy compliant or maintain privacy 
compliance. 

Although this survey was not a substitute for regulatory examination of 
insurers' compliance with GLBA, it could serve as a basis for further 
examination of such compliance. Other financial regulators have 
gathered preliminary information that they then use as a basis for 
further examinations of regulated entities. For example, in 2003, SEC 
followed up on reports of abusive practices in mutual fund trading by 
requesting information from various mutual fund companies on these 
trading practices, and this served as a basis for further examinations 
of individual companies. According to NAIC officials, the DISB survey 
results were never reviewed by state insurance regulators as part of 
their examinations of insurance companies. NAIC officials said the 
survey results were reviewed by NAIC's Market Analysis Working Group 
and referred back to DISB to determine what, if any, additional follow- 
up was necessary. DISB staff told us that most state insurance 
regulators, as well as DISB, do not have staff with adequate expertise 
to actually examine insurers' information privacy and safeguarding 
programs. They said the states would have to contract with vendors to 
obtain this expertise. 

FTC Enforces GLBA and FCRA Compliance of Financial Institutions within 
Its Jurisdiction: 

As discussed earlier, FTC enforces GLBA for financial institutions not 
otherwise assigned to the enforcement authority of another regulator, 
and enforces FCRA for the same entities and others, including 
securities firms and insurance companies. FTC has issued rules 
implementing GLBA and FCRA information privacy and safeguarding 
requirements and developed other materials that provide detailed 
guidance for companies to implement the requirements. FTC issued two 
rules--referred to as the Privacy Rule and the Safeguards Rule--to 
implement GLBA's requirements for financial institutions not covered by 
similar regulations issued by the financial institution regulators. 
These rules provide examples to clarify things such as what constitutes 
a customer relationship and what types of information are covered under 
the law's sharing restrictions. FTC has also issued rules to implement 
the FACT Act amendments to FCRA, although some rules have not yet been 
issued in final form.[Footnote 88] FTC provides additional guidance to 
financial institutions on how to comply with GLBA and FCRA in the form 
of business alerts, fact sheets, frequently asked questions, and a 
compliance guide for small businesses. For example, FTC has issued 
alerts on safeguarding customers' personal information, disposing of 
consumer report information, and insurers' use of consumer reports. 

Between 2003 and 2005, FTC took enforcement actions against at least 
seven financial service providers for violations of GLBA information 
privacy and safeguarding requirements, resulting in settlement 
agreements with: 

* an Internet mortgage lender accused of false advertising and failure 
to protect sensitive consumer information; 

* a credit card telemarketer that allegedly failed to notify consumers 
of its privacy practices and obtained information from consumers under 
false pretenses; 

* two or more mortgage lenders charged with failing to protect 
consumers' personal information; and: 

* three nonprofit debt management organizations accused of failing to 
notify consumers how their personal information would be used, and 
other violations.[Footnote 89] 

NCUA, Securities, and Insurance Regulators Do Not Have Full Authority 
to Examine Third-Party Vendors, Including Information Resellers: 

As part of their bank examinations, FRB, FDIC, OCC, and OTS have 
authority to examine third-party service providers, such as some 
information resellers with which banks may do business.[Footnote 90] 
Technology service provider examinations are done under the auspices of 
FFIEC and coordinated with other regulators.[Footnote 91] Some vendors 
may be examined routinely; for example, officials of one information 
reseller providing services to banks told us that it is subject to 
periodic examinations under the auspices of FFIEC. In other cases, a 
service provider may be examined only once for a particular purpose. 
For example, OCC and FDIC examiners visited Acxiom, which provides a 
number of banks with information services, such as analyzing and 
enhancing customer information for marketing purposes. The examiners' 
visit focused on a security breach in which a client was granted access 
to information files obtained from other clients. According to Acxiom 
officials, this was a one-time review of the breach that occurred in 
its computer services operations and did not result in the company 
being added to a list of technology service providers that banking 
regulators routinely review. 

Unlike the banking regulators, NCUA does not have authority to examine 
the third-party service providers of credit unions, including 
information resellers.[Footnote 92] In 2003, we reported that credit 
unions increasingly rely on third-party vendors to support technology- 
related functions such as Internet banking, transaction processing, and 
fund transfers.[Footnote 93] With greater reliance on third-party 
vendors, credit unions subject themselves to operational and 
reputational risks if they do not manage these vendors appropriately. 
While NCUA has issued guidance regarding the due diligence credit 
unions should apply to third-party vendors, the agency has no 
enforcement powers to ensure full and accurate disclosure. As such, in 
2003 we suggested that Congress consider providing NCUA with 
legislative authority to examine third-party vendors, and NCUA has also 
requested such authority from Congress. However, an NCUA official told 
us that few of these vendors are information resellers because credit 
unions typically do not use them to a great extent. He said that credit 
unions generally use methods other than resellers to comply with 
PATRIOT Act customer identification requirements, and credit unions' 
bylaws typically forbid sharing customers' personal financial 
information for marketing purposes. 

Similarly, federal securities regulators and representatives of state 
insurance regulators told us they generally do not have authority to 
examine or review the third-party service providers of the firms they 
oversee, including information resellers. According to SEC staff, the 
agency can examine the third-party vendor only if the firm also is an 
SEC-registered entity over which the agency has examination authority. 
However, they said that, to date, SEC has not seen sufficient problems 
with third-party vendors to justify requesting the authority to examine 
them at this time. They noted that in their examinations, they hold 
entities accountable for ensuring that personal information is 
appropriately safeguarded whether the information is managed in-house 
or by a vendor. Similarly, NASD officials said that although they do 
not have jurisdiction to oversee third-party vendors, their examiners 
review member firms' procedures for monitoring contractors, including 
whether such contracts contain clauses ensuring the privacy and 
security of customer information. In July 2005, NASD issued a Notice to 
Members reminding them that when they outsource certain activities as 
part of their business structure, they must conduct a due diligence 
analysis to ensure that the third-party service provider can adequately 
perform the outsourced functions and comply with federal securities 
laws and NASD rules.[Footnote 94] Similarly, NYSE Regulation 
examinations review third-party contracts to ensure that they contain 
confidentiality clauses prohibiting the contractor from using or 
disclosing customer information for any use other than the purposes for 
which the information was provided to the contractor. NYSE Regulation 
has proposed a rule governing its members' use of contractors, which, 
if adopted, will require member firms to follow certain steps in 
selecting and overseeing contractors, such as applying prescribed due 
diligence standards and the record-keeping requirements of the 
securities laws[Footnote95].  

State insurance regulators generally do not have authority to examine 
information resellers and other third-party service providers. NAIC 
officials told us that state insurance regulators can only examine 
information resellers or other companies if they are registered as 
rating organizations--companies that collect and analyze statistical 
information to assist insurance companies in their rate-making process. 
For example, NAIC said state insurance regulators can examine ISO--one 
of the resellers included in our review--because it is registered with 
states as a rating organization. 

Conclusions: 

Advances in information technology and the computerization of records 
have spawned the growth of information reseller businesses, which 
regularly collect, process, and sell personal information about nearly 
all Americans. The information maintained by resellers commonly 
includes sensitive personal information, such as purchasing habits, 
estimated incomes, and Social Security numbers. The expansion in the 
past few decades in the sale of personal information has raised 
concerns about both personal privacy and data security. Many consumers 
may not be aware how much of their personal information is maintained 
and how frequently it is disseminated. In addition, identity theft has 
emerged as a serious problem, and data security breaches have occurred 
at some major resellers. At the same time, however, information 
resellers also provide some important benefits to both individuals and 
businesses. Financial institutions rely heavily on these resellers for 
a variety of vital purposes, including credit reporting (which reduces 
the cost of credit), PATRIOT Act compliance, and fraud detection. As 
Congress weighs various legislative options, it will need to consider 
the appropriate balance between protecting consumers' privacy and 
security interests and the benefits conferred by the current regime 
that allows a relatively free flow of information between companies. 

No federal law explicitly requires all information resellers to 
safeguard all of the sensitive personal information they may hold. As 
we have discussed, FCRA applies only to consumer information used or 
intended to be used to help determine eligibility, and GLBA's 
safeguarding requirements apply only to customer data held by GLBA- 
defined financial institutions. Much of the personal information 
maintained by information resellers that does not fall under FCRA or 
GLBA is not necessarily required by federal law to be safeguarded, even 
when the information is sensitive and subject to misuse by identity 
thieves. Given financial institutions' widespread reliance on 
information resellers to comply with legal requirements, detect fraud, 
and market their products, the possibility for misuse of this sensitive 
personal information is heightened. Requiring information resellers to 
safeguard all of the sensitive personal information they hold would 
help ensure that explicit data security requirements apply more 
comprehensively to a class of companies that maintains large amounts of 
such data. Further, although the scope of this report focused on 
information resellers, this work has made clear to us that a wide range 
of retailers and other entities also maintain sensitive personal 
information on consumers. As Congress considers requiring information 
resellers to better ensure that all of the sensitive personal 
information they maintain is safeguarded, it may also wish to consider 
the potential costs and benefits of expanding more broadly the class of 
entities explicitly required to safeguard sensitive personal 
information. Any new safeguarding requirements would likely be more 
effectively implemented and least burdensome if, as with FTC's 
Safeguards Rule, they provided sufficient flexibility to account for 
the widely varying size and nature of businesses that hold sensitive 
personal information. 

The proliferation of sensitive personal information in the marketplace 
and increasing numbers of high-profile data breaches have motivated 
many states to enact data security laws with breach notification 
requirements. No federal statute currently requires breach 
notification, but such legislation could have certain benefits. 
Companies would have incentives to improve data safeguarding to reduce 
the reputational risk of a publicized breach, and consumers would know 
to take potential action against a risk of identity theft or other 
related harm. Congress has held many hearings related to data breaches, 
and several bills have been introduced that would require breach 
notification. We support congressional actions to require information 
resellers, and other companies, to notify individuals when breaches of 
sensitive information occur. In previous work, we have also identified 
key benefits and challenges of notifying the public about security 
breaches that occur at federal agencies. To be cost effective and 
reduce unnecessary burden on consumers, agencies, and industry, it 
would be important for Congress to identify a threshold for 
notification that would allow individuals to take steps to protect 
themselves where the risk of identity theft or other related harm 
exists, while ensuring they are only notified in cases where the level 
of risk warrants such action. Objective criteria for when notification 
is required and appropriate enforcement mechanisms are also important 
considerations. Congress should also consider whether and when a 
federal breach notification law would preempt state laws. 

FTC has taken many significant enforcement actions against information 
resellers and other companies that have violated federal privacy laws, 
and it is important that the agency have the appropriate enforcement 
remedies. Unlike FCRA, GLBA does not provide FTC with civil penalty 
authority, and agency staff have expressed concerns that the remedies 
FTC has available under GLBA--such as disgorgement and consumer 
redress--are impractical enforcement tools for violations involving 
breaches of mass consumer data. Providing FTC with the authority to 
seek civil penalties for violations of GLBA could help the agency more 
effectively enforce that law's safeguarding provisions. 

Federal financial regulators generally appear to provide suitable 
oversight of their regulated entities' compliance with privacy and 
information security laws governing consumer information. The 
regulators do not typically distinguish between data that entities 
receive from resellers and other sources, but this seems reasonable 
given that the sensitivity, rather than the source, of the data is the 
most important factor in examining data security practices. However, 
state insurance regulators do not have comparable examination programs 
to other financial regulators to ensure consistent GLBA compliance. 
This may be a source of concern given the recent multistate survey that 
identified deficiencies in GLBA compliance at insurance companies. 

Matters for Congressional Consideration: 

Safeguarding provisions of FCRA and GLBA do not apply to all sensitive 
personal information held by information resellers. To ensure that such 
data are protected on a more consistent basis, Congress should consider 
requiring information resellers to safeguard all sensitive personal 
information they hold. As Congress considers how best to protect data 
maintained by information resellers, it should also consider whether to 
expand more broadly the class of entities explicitly required to 
safeguard sensitive personal information. If Congress were to choose to 
expand safeguarding requirements, it should consider providing the 
implementing agencies with sufficient flexibility to account for the 
wide range in the size and nature of entities that hold sensitive 
personal information. 

To ensure that the Federal Trade Commission has the tools it needs to 
most effectively act against data privacy and security violations, 
Congress should consider providing the agency with civil penalty 
authority for its enforcement of the Gramm-Leach-Bliley Act's privacy 
and safeguarding provisions. 

Recommendation for Executive Action: 

We recommend that state insurance regulators, individually and in 
concert with the National Association of Insurance Commissioners, take 
additional measures to ensure appropriate enforcement of insurance 
companies' compliance with the privacy and safeguarding provisions of 
the Gramm-Leach-Bliley Act. As a first step, state insurance regulators 
and NAIC should follow up appropriately on deficiencies related to 
compliance with these provisions that were identified in the recent 
nationwide survey as part of a broader targeted examination of GLBA 
privacy and safeguarding requirements. 

Agency Comments: 

We provided a draft of this report to FDIC, FRB, FTC, NAIC, NASD, NCUA, 
NYSE Regulation, OCC, OTS, and SEC for comment. These agencies provided 
technical comments, which we incorporated, as appropriate. In addition, 
FTC provided a written response, which is reprinted in appendix III. In 
its response, FTC noted that it has previously recommended that 
Congress consider legislative actions to increase the protection 
afforded personal sensitive data, including extending GLBA safeguarding 
principles to other entities that maintain sensitive information. FTC 
also noted that it concurs with our finding that a civil penalty often 
is the most appropriate and effective remedy in cases under GLBA 
privacy and safeguarding provisions. 

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
from the report date. At that time, we will provide copies to other 
interested congressional committees, as well as the Chairman of the 
Board of Governors of the Federal Reserve System, the Acting Chairman 
of the Federal Deposit Insurance Corporation, the Chairman of the 
Federal Trade Commission, the President of the National Association of 
Insurance Commissioners, the Chairman and Chief Executive Officer of 
NASD, the Chairman of the National Credit Union Administration, the 
Chief Executive Officer of New York Stock Exchange Regulation, the 
Comptroller of the Currency, the Director of the Office of Thrift 
Supervision, and the Chairman of the Securities and Exchange 
Commission. We will also make copies available to others upon request. 
In addition, the report will be available at no charge on GAO's Web 
site at [Hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-8678 or jonesy@gao.gov. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made key contributions to 
this report are listed in appendix IV. 

Signed by: 

Yvonne D. Jones: 
Director, Financial Markets and Community Investment: 

[End of section] 

Appendix I: Scope and Methodology: 

Our report objectives were to examine (1) how financial institutions 
use data products supplied by information resellers, the types of 
information contained in these products, and the sources of the 
information; (2) how federal laws governing the privacy and security of 
personal data apply to information resellers, and what rights and 
opportunities exist for individuals to view and correct data held by 
resellers; (3) how federal financial institution regulators and the 
Federal Trade Commission (FTC) oversee information resellers' 
compliance with federal privacy and information security laws; and (4) 
how federal financial institution regulators, state insurance 
regulators, and FTC oversee financial institutions' compliance with 
federal privacy and information security laws governing consumer 
information, including information supplied by information resellers. 

For the purposes of this report, we defined "information resellers" 
broadly to refer to businesses that collect and aggregate personal 
information from multiple sources and make it available to their 
customers. The three nationwide credit bureaus were included in this 
definition. Our audit work focused primarily on larger information 
resellers and did not cover smaller Internet-based resellers because 
these companies were rarely or never used by financial institutions 
from which we collected information. Our scope was limited to 
resellers' use and sale of personal information about individuals; it 
did not include other information that resellers may provide, such as 
data on commercial enterprises. Our review of financial institutions 
covered the banking, securities, property and casualty insurance, and 
consumer lending and finance industries, but excluded life insurance 
and health insurance companies because they use health data that are 
covered by federal laws that were outside the scope of our work. In 
addition, we included financial institutions' use of reseller 
information for purposes related to customers and other consumers, but 
excluded their use of reseller products for screening their own 
employees or making business decisions such as where to locate a 
facility. 

To address all of the objectives, we interviewed or received written 
responses from 10 information resellers--Acxiom, eFunds, ChoicePoint, 
Equifax, Experian, LexisNexis, ISO, Regulatory DataCorp, Thompson West, 
and TransUnion. We also reviewed marketing materials, sample contracts, 
sample reports, and other items from these companies that provided 
detailed information on the data contained in their products. These 
companies were selected because, according to the financial 
institutions, trade associations, and industry experts we spoke with, 
they constitute most of the largest and most significant information 
resellers offering services to the financial industry sector, and 
collectively they represent a variety of different products. The 
information resellers we included and the products they offer do not 
necessarily represent the full scope of the industry. We also spoke 
with representatives of the Consumer Data Industry Association and the 
Direct Marketing Association, trade associations that represent 
portions of the information reseller industry. 

To determine how financial institutions use data products supplied by 
information resellers and the types and sources of the data, we also 
interviewed or received written responses, and collected and analyzed 
documents, from knowledgeable representatives at financial institutions 
in the banking, securities, property and casualty insurance, and 
consumer lending and finance industries. We gathered information from 
Bank of America, Citigroup, and JPMorgan Chase, which are the three 
largest U.S. bank holding companies by asset size, as well as Goldman 
Sachs, Morgan Stanley, and Merrill Lynch, which are the three largest 
global securities firms by revenue. We also interviewed representatives 
at American International Group, State Farm, and Allstate, which are 
the three largest U.S. insurance companies and include the two largest 
property/casualty insurers. We also interviewed representatives at GE 
Consumer Finance, one of the world's 10 largest consumer finance 
companies, and four other financial institutions-- American Express, 
Wells Fargo Financial, Security Finance, and Check into Cash--which 
together offer a variety of consumer lending products, including 
automobile financing, credit cards, and payday loans. We also 
interviewed officials at trade associations representing these 
financial services industries, including the American Bankers 
Association, Independent Community Bankers of America, Securities 
Industry Association, Investment Company Institute, American Insurance 
Association, and American Financial Services Association. 

These financial institutions from which we gathered information conduct 
a significant portion of the transactions in the financial services 
sector. For example, they collectively own 9 of the 50 largest 
commercial depository institutions, holding about 20 percent of total 
domestic deposits, as well as 8 of the 10 largest credit card issuers. 
The insurance companies we spoke with represent about a quarter of the 
U.S. property and casualty insurer market share. In most cases, we 
selected these financial institutions by determining the largest 
companies in each of the four industries, based on data from reputable 
sources. In two cases, we spoke with firms because they were 
recommended by representatives of their trade association. Our findings 
on how financial institutions use information resellers are not 
representative of the entire financial services industry. However, we 
believe they accurately represent institutions' use of resellers 
because our findings from discussions with these companies and their 
representatives were corroborated by discussions with information 
resellers, regulators, legal experts, and privacy and consumer advocacy 
groups. 

To identify how federal privacy and data security laws and regulations 
apply to information resellers and individuals' rights and 
opportunities to view and correct reseller data, we reviewed and 
analyzed relevant federal laws, regulations, and guidance. We also met 
with staff of the Board of Governors of the Federal Reserve System, 
Federal Deposit Insurance Corporation, Federal Trade Commission, 
National Credit Union Administration, Office of the Comptroller of the 
Currency (OCC), Office of Thrift Supervision, and Securities and 
Exchange Commission, as well as the National Association of Insurance 
Commissioners (NAIC), NASD (formerly known as the National Association 
of Securities Dealers), New York Stock Exchange Regulation (NYSE 
Regulation), and the District of Columbia's Department of Insurance, 
Securities and Banking (DISB). In addition, we interviewed three legal 
experts in the area of privacy law that work in academia or represent 
financial institutions and information resellers. We also interviewed 
and collected documents from information resellers, financial 
institutions, federal regulators, and a variety of privacy and consumer 
advocacy groups, to gather views on the applicability of laws to 
information resellers and the adequacy of existing laws. 

To describe how regulators oversee information resellers' and financial 
institutions' compliance with federal privacy and data security laws, 
we met with the federal agencies, financial institutions, information 
resellers, and other parties listed above. We also reviewed federal 
agencies' guidance, examination procedures, settlement agreements, and 
other documents, as well as relevant reports and documents from NAIC, 
NASD, and NYSE Regulation. To help illustrate regulators' examination 
activities in this area, we also met with OCC staff who conduct 
examinations at three national banks and reviewed their examination 
workpapers. We also gathered data from regulators about the number and 
nature of examination findings, where applicable. 

To describe the efforts of state insurance regulators to oversee 
insurance companies' compliance with the Gramm-Leach-Bliley Act (GLBA), 
we also reviewed the DISB survey report of insurance companies' 
implementation of GLBA policies and procedures. DISB used the survey 
responses to determine findings for each company on the level of 
compliance with GLBA and related NAIC model rule provisions. The DISB 
review defined a "finding" as an occurrence of a perceived gap between 
a company's privacy practices and procedures and the guidelines 
outlined in one of the model acts or regulations of NAIC. The findings 
were derived from responses to the survey questions. The companies DISB 
surveyed comprised major companies, including property and casualty 
insurance groups with 2002 gross written premiums of approximately $250 
million or more; life insurance groups with 2002 gross written premiums 
of approximately $200 million or more; and health insurance groups with 
2002 gross written premiums of approximately $500 million or more. This 
initial list contained 129 insurance groups. After the initial list was 
compiled, 26 groups were exempted from the survey examination for one 
of three reasons: (1) there was a prior, ongoing, or upcoming 
examination of the group that included (or would include) a 
comprehensive review of the group's privacy policy (23 groups); (2) the 
group engaged primarily or solely in reinsurance (2 groups); or (3) the 
state insurance regulator for the company's state of domicile requested 
that the group be exempted (1 group). The survey questionnaire included 
93 questions asking for detailed documentary and testimonial evidence 
of companies' level of compliance with GLBA and related NAIC model rule 
provisions. 

We conducted our review from June 2005 through May 2006 in accordance 
with generally accepted government auditing standards. 

[End of section] 

Appendix II: Sample Information Reseller Reports: 

This appendix provides examples of reports from different types of 
products sold by information resellers. These sample reports, which are 
reprinted with permission, contain fictitious data and have also been 
redacted to reduce possible coincidental references to actual people or 
places. 

Sample Insurance Claims History Report: 

This sample insurance claims history report from ChoicePoint provides 
insurers with insurance claims histories on individuals applying for 
coverage. 

Figure 4: Sample Insurance Claims History Report: 

[See PDF for image] 

Source: ChoicePoint. 

[End of figure] 

Sample Deposit Account History Report: 

ChexSystems, a subsidiary of eFunds, offers a product that assesses 
risks associated with individuals applying to open new deposit 
accounts. The report includes information on an applicant's account 
history, including accounts closed for reasons such as overdrafts, 
returned checks, and check forgery. The report may include a numeric 
score representing the individual's estimated risk. 

Figure 5: Sample Deposit Account History Report: 

[See PDF for image] 

Source: eFunds. 

[End of figure] 

Sample Identity Verification and OFAC Screening Report: 

ISO, a company that provides information services to insurance 
companies, offers this product for screening new customers and 
verifying their identities. It provides a "pass" or "fail" response to 
indicate whether information provided by the applicant matches 
information maintained by the company. 

Figure 6: Sample Identity Verification and OFAC Screening Report: 

[See PDF for image] 

Source: ISO. 

[End of figure] 

Sample Fraud Investigation Report: 

Below are selected excerpts from a sample report of ChoicePoint's 
AutoTrack XP product, which helps users such as corporate fraud 
investigators and law enforcement agencies conduct investigations, 
locate individuals and assets, and verify physical addresses. 

Figure 7: Sample Fraud Investigation Report: 

[See PDF for image] 

Source: ChoicePoint. 

[End of figure] 

[End of section] 

Appendix III: Comments from the Federal Trade Commission: 

Federal Trade Commission: 
Washington, D .C. 20580:
The Chairman:

June 2, 2006:

Ms.Yvonne Jones:
Director, Financial Markets and Community Investment: 
Government Accountability Office:
Washington, D.C. 20548:

Dear Ms. Jones:

The Commission is pleased to have the opportunity to comment on the 
Government Accountability Office's draft report entitled: Personal 
Information: Key Federal Privacy Laws Do Not Require Information 
Resellers to Safeguard all Sensitive Data (GAO-06-674). ("Report") The 
Report describes the sources of consumer personal data, how different 
entities use or reuse the data, and the statutory provisions that 
govern the collection, use, and reuse of sensitive personal 
information. The Report also explains how banking regulators, the 
Securities and Exchange Commission, and the Federal Trade Commission 
("FTC") oversee compliance with the privacy and safeguarding provisions 
of the Gramm-Leach-Bliley Act ("GLBA"), and describes the FTC's 
enforcement of the Fair Credit Reporting Act ("FCRA") with respect to 
information resellers. The Report concludes that "[n]o federal law 
explicitly requires all information resellers to safeguard all the 
sensitive personal information they may hold." It also finds that 
entities other than infornation resellers hold sensitive personal 
information.

We understand that the agencies' staffs worked cooperatively throughout 
the preparation of this report and that FTC staff has provided infonnal 
technical comments on the draft of the Report to the GAO staff, the 
vast majority of which have been incorporated.

The Report makes several legislative recommendations, two of which the 
Commission supports, and one on which the Commission has no opinion. 
First, the Report recommends that Congress consider requiring 
information resellers to safeguard all sensitive personal information 
they hold, and suggests that Congress consider the benefits and costs 
of expanding the class of entities explicitly required to safeguard 
sensitive personal information. (Report at 42) The FTC similarly has 
recommended that Congress consider legislative actions to increase the 
protection afforded sensitive personal data. In its June 2005 testimony 
before the Senate Committee on Commerce, Science, and Transportation on 
data breaches and identity theft, the Commission recommended that 
Congress consider extending the GLBA safeguards principles, which 
require financial institutions to implement procedures to protect 
consumer financial information, to other entities that maintain 
sensitive information.[Footnote 96] 

Second, the Report recommends that Congress consider authorizing the 
FTC to seek civil penalties for violations of the GLBA privacy and 
safeguarding provisions. In its testimony to the Senate Committee cited 
above, the Commission noted that a civil penalty often is the most 
appropriate and effective remedy in cases under those 
provisions[Footnote 97]. The Commission thus agrees with the Report's 
recommendation.

Finally, the Report recommends that state regulators ensure compliance 
with GLBA in its oversight of insurance companies. Although the 
Commission does not have an opinion regarding state oversight of 
insurance companies, the Commission agrees with GAO's conclusion that 
insurance companies often hold sensitive personal data.

Protecting the privacy and security of personal information collected 
or sold by data brokers and others is one of the Commission's highest 
priorities. The Commission will continue to monitor this area and will 
take law enforcement action when appropriate against entities that fail 
to protect properly sensitive consumer data[Footnote 98]. 

Further, the Commission encourages consumers to understand their rights 
under the FCRA and GLBA, and to take appropriate measures to protect 
their data. We have developed an array of consumer education materials 
for these purposes, which are available online at [Hyperlink, 
http://www.ftc.gov].

The Commission appreciates this opportunity to review and comment on 
GAO's Report.

By direction of the Commission.

Signed by: 

Deborah Platt Majoras: 
Chairman:

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Yvonne D. Jones, (202) 512-8678 or jonesy@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Jason Bromberg, Assistant 
Director; Katherine Bittinger; David Bobruff; Randy Fasnacht; Evan 
Gilman; Marc Molino; David Pittman; Linda Rego; and David Tarosky made 
key contributions to this report. 

FOOTNOTES 

[1] This report uses "information resellers" to describe businesses 
that collect and resell personal information, but there is no one 
commonly agreed-upon term for such companies. FTC has sometimes used 
the term "data brokers" but the companies themselves typically use 
other terms, such as "information solutions providers." 

[2] The Fair Credit Reporting Act, Pub. L. No. 90-321, title VI (May 
29, 1968) as added by Pub. L. No. 91-508, title VI, § 601, 84 Stat. 
1128 (Oct. 26, 1970) (codified at 15 U.S.C. § 1681-1681x); and Title V 
of the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 
1999), Pub. L. No. 106-102, title V, subtitle A, 113 Stat. 1338 (Nov. 
12, 1999) (codified at 15 U.S.C. § 6801-6809). As discussed later in 
this report, other federal laws--such as the Driver's Privacy 
Protection Act of 1994 and the Health Insurance Portability and 
Accountability Act of 1996--also govern the use and sharing of certain 
types of personal information. 

[3] For more information about Internet resellers, see GAO, Social 
Security Numbers: Internet Resellers Provide Few Full SSNs, but 
Congress Should Consider Enacting Standards for Truncating SSNs, GAO-06-
495 (Washington, D.C.: May 17, 2006). 

[4] We use "nationwide credit bureau" and "nationwide consumer 
reporting agency" interchangeably in this report, and they have the 
same meaning as the FCRA phrase "consumer reporting agency that 
compiles and maintains files on consumers on a nationwide basis." FCRA 
defines this phrase as a consumer reporting agency that regularly 
engages in the practice of assembling or evaluating, and maintaining 
public record information and credit account information for the 
purpose of furnishing consumer reports to third parties bearing on a 
consumer's credit worthiness, credit standing, or credit capacity. 15 
U.S.C. § 1681a(p). 

[5] For information about federal agencies' use of information 
resellers, see GAO, Personal Information: Agency and Reseller Adherence 
to Key Privacy Principles, GAO-06-421 (Washington, D.C.: Apr. 4, 2006). 

[6] Credit header data are the nonfinancial identifying information 
located at the top of a credit report, such as name, current and prior 
addresses, telephone number, and Social Security number. 

[7] This report focuses on how financial institutions use data from 
information resellers in conducting transactions with consumers. We did 
not review other ways that financial institutions use information 
resellers, such as to screen their potential employees or to gather 
information about other businesses. 

[8] The three nationwide credit bureaus use software models developed 
by the Fair Isaac Corporation to produce FICO® credit scores, which are 
credit scores used by many financial services firms. In March 2006, the 
bureaus announced they will begin selling a new credit score that they 
developed jointly. The score will be calculated the same way for each 
credit bureau to enhance consistency among all three bureaus. 

[9] A nationwide specialty CRA is defined in FCRA to mean a CRA that 
compiles and maintains files on consumers on a nationwide basis 
relating to medical records or payments; residential or tenant history; 
check-writing history; employment history; or insurance claims. 15 
U.S.C. § 1681a(w). 

[10] Uniting and Strengthening America by Providing Appropriate Tools 
Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 
2001, Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001). We will refer 
to the act as the PATRIOT Act. 

[11] Title III of the PATRIOT Act (cited as the "International Money 
Laundering Abatement and Financial Anti-Terrorism Act of 2001") amended 
the U.S. government's anti-money laundering regulatory structure. For 
instance, section 326 added new requirements for the Secretary of the 
Treasury and the federal financial regulators to issue regulations 
setting forth minimum standards for financial institutions to (1) 
verify the identity of persons seeking to open an account; (2) maintain 
records of the information used to verify a person's identity, 
including name, address, and other identifying information; and (3) 
consult lists of known or suspected terrorists or terrorist 
organizations provided to the financial institution by any government 
agency to determine whether a person seeking to open an account appears 
on the list. See 31 U.S.C. § 5318(l). Section 326 requirements for 
customer verification apply to financial institutions broadly, 
including, among others, financial institutions that are subject to 
regulation by one of the federal banking regulators, as well as 
nonfederally insured credit unions, private banks and trust companies; 
securities broker-dealers; futures commission merchants and introducing 
brokers; and mutual funds. 31 U.S.C. § 5312 and 31 C.F.R. § Part 103. 

[12] A manufacturer may request that consumers submit their contact 
information on a warranty card in the event of a product malfunction or 
insurance claim. For marketing purposes, many warranty cards request 
additional information on such things as the gender and age of 
household occupants, occupation and income information, spending 
habits, and lifestyle interests; this information is sometimes sold to 
information resellers. 

[13] The Fair Credit Reporting Act, described in more detail below, 
generally permits prescreening only if the financial institution makes 
a firm offer of credit or insurance for all consumers who meet the 
criteria for the credit or insurance being offered. 15 U.S.C. § 
1681b(c)(1)(B). 

[14] This report focuses on the use and sharing of personal information 
among private sector entities, and therefore we only describe laws 
governing these entities. Other laws, primarily the Privacy Act of 
1974, govern the collection and use of personal information by 
government agencies. See Pub. L. No. 93-579, 88 Stat. 1896 (Dec. 31, 
1974), codified at 5 U.S.C. § 552a. 

[15] The Health Insurance Portability and Accountability Act of 1996, 
Pub. L. No. 104-191, § 262, 110 Stat. 1936 (Aug. 21, 1996), codified at 
42 U.S.C. §§ 1320d - 1320d-8, protects the privacy of individually 
identifiable health information. The scope of this work did not include 
the collection and use of health information. 

[16] Pub. L. No. 103-322, title XXX, 108 Stat. 2099 (Sept. 13, 1994) 
(codified at 18 U.S.C. §§ 2721 - 2725). 

[17] 18 U.S.C. § 2721(b)(11). 

[18] Pub. L. No. 63-203, ch. 311, 38 Stat. 717 (Sept. 26, 1914) 
(codified at 15 U.S.C. §§ 41 - 58). 

[19] See 12 U.S.C. § 1867 (FRB, FDIC, and OCC); and 12 U.S.C. § 
1464(d)(7) (OTS). 

[20] Although the scope of this report is limited to federal privacy 
and data security laws, many states have laws of their own that apply 
to the activities of information resellers. Many of these laws require 
companies to notify consumers when their personal data may have been 
lost or stolen. For example, in 2002, California enacted a database 
breach notification act (Cal. Civ. Code § 1798.82), which requires 
disclosure of any security breach of data to any state resident whose 
unencrypted personal information was, or is reasonably believed to have 
been, acquired by an unauthorized person. 

[21] FCRA defines a "consumer report" as "any written, oral, or other 
communication of any information by a consumer reporting agency bearing 
on a consumer's credit worthiness, credit standing, credit capacity, 
character, general reputation, personal characteristics, or mode of 
living which is used or expected to be used or collected in whole or in 
part for the purpose of serving as a factor in establishing the 
consumer's eligibility for (A) credit or insurance to be used primarily 
for personal, family, or household purposes; (B) employment purposes; 
or (C) any other purpose authorized under [15 U.S.C. § 1681b]." 15 
U.S.C. § 1681a(d)(1). 

[22] Pub. L. No. 108-159, 117 Stat. 1952 (Dec. 4, 2003) (codified at 15 
U.S.C. §§ 1681c-1, 1681c-2, 1681x, 1681s-3, 1681w). 

[23] We did not determine which information reseller databases are 
subject to FCRA. The information we include is based on what 
information resellers told us about how FCRA applies to their 
activities. 

[24] Consumers also have the right to receive a free copy of their 
credit file from CRAs when they have been victims of identity theft or 
are subject to an adverse action as a result of information in their 
file, or in certain other circumstances where they are unemployed, 
recipients of public welfare, or have reason to believe that their file 
contains inaccurate information due to fraud. 

[25] FCRA also provides certain other opt-out rights concerning 
affiliate sharing. See 15 U.S.C. §§ 1681a(d)(2)(iii); and 1681s-3. In 
addition to FCRA, GLBA requires that financial institutions allow their 
customers to opt out of the sharing of their nonpublic personal 
information with nonaffiliated companies, unless the sharing falls 
under an exception under GLBA. See 15 U.S.C. § 6802. 

[26] 16 C.F.R. § 610.2. 

[27] 16 C.F.R. § 610.3. 

[28] 15 U.S.C. § 6802. 

[29] See 15 U.S.C. § 6809(9). GLBA defines a consumer as "an individual 
who obtains, from a financial institution, financial products or 
services which are to be used primarily for personal, family, or 
household purposes." Thus, GLBA does not apply to a business customer, 
such as a sole proprietor. 16 C.F.R. § 313.3(e). A "customer" means a 
consumer who has a "customer relationship"--that is, a continuing 
relationship with the financial institution. 

[30] 15 U.S.C. § 6802(e)(3)(B) and (6). 

[31] 15 U.S.C. § 6802(e)(1)(A). 

[32] 15 U.S.C. § 6809(3)(A). 

[33] 12 U.S.C. § 1843(k). This is a list of nonbanking activities 
determined by FRB as of the date of GLBA's enactment to be "so closely 
related to banking or managing or controlling banks as to be a proper 
incident thereto." See 12 C.F.R. § 225.28 (1999). FDIC, FRB, NCUA, OCC, 
OTS and SEC in their implementing GLBA regulations define the term 
"financial institution" as those institutions in the business of 
engaging in activities that are financial in nature or incidental to 
such financial activities. See 12 C.F.R. §§ 40.3(k)(1) (OCC), 
216.3(k)(1) (FRB), 332.3(k)(1) (FDIC), 573.3(k)(1) (OTS), and 
716.3(l)(1) (NCUA); and 17 C.F.R. § 248.3(n)(1) (SEC). See 16 C.F.R. § 
313.3(k)(1) (FTC). 

[34] 16 C.F.R. § 313.18(a)(2); and 65 Fed. Reg. 33646, 33654 (May 24, 
2000). 

[35] 16 C.F.R. §§ 313.3(k)(1) and (3)(iv). 

[36] 12 C.F.R. § 225.28(b)(2)(v) (1999). FRB described credit bureau 
services as those services "maintaining information related to the 
credit history of consumers and providing the information to a credit 
grantor who is considering a borrower's application for credit or who 
has extended credit to the borrower." 

[37] See Trans Union LLC v. FTC, 295 F.3d 42, 48 (D.C. Cir. 2002); and 
16 C.F.R. § 313.3(k). 

[38] A representative of the company noted that, as required by law, 
the data used for these two products are kept in separate databases 
that are not commingled. 

[39] 16 C.F.R. § 313.11 (FTC); see also 12 C.F.R. §§ 40.11 (OCC), 
216.11 (FRB), 332.11 (FDIC), 573.11 (OTS), and 716.11 (NCUA); and 17 
C.F.R. § 248.11 (SEC). The regulations were upheld in Individual 
Reference Services Group, Inc. v. FTC, 145 F. Supp.2d 6, 34 - 35 (D. DC 
2002) ("the use restrictions affirmatively imposed by the Regulations 
are consistent with the purpose of the GLB Act"). 

[40] The FTC regulation states: "[y]ou may disclose and use the 
information pursuant to [a GLBA exception] in the ordinary course of 
business to carry out the activity covered by the exception under which 
you received the information." 16 C.F.R. § 313.11(a)(1)(iii). 

[41] See 15 U.S.C. § 6802(c), which states: "[A] nonaffiliated third 
party that receives from a financial institution nonpublic personal 
information . . . shall not . . . disclose such information to any 
other person that is a nonaffiliated third party of both the financial 
institution and such receiving third party, unless such disclosure 
would be lawful if made directly to such other person by the financial 
institution." This provision is commonly referred to as GLBA's reuse 
and redisclosure provision. See 16 C.F.R. § 313.11(b)(1)(iii). 

[42] See 15 U.S.C. § 6801 note. 

[43] The company said that it does not allow information collected for 
its FCRA-regulated database to be used to update the "pre-GLBA" 
database. 

[44] 15 U.S.C. § 6801. 

[45] See, for example, 16 C.F.R. § 314.3 (FTC). 

[46] See, for example, 16 C.F.R. § 314.4(d). 

[47] The settlement will require BJ's Wholesale Club to implement a 
comprehensive information security program and obtain audits by an 
independent third-party security professional every other year for 20 
years. In the Matter of BJ's Wholesale Club, Inc., F.T.C. No. 0423160 
(2005). A consent agreement does not constitute an admission of a 
violation of law. 

[48] Prepared Statement of the Federal Trade Commission on "Data 
Breaches and Identity Theft" Before the Senate Comm. on Commerce, 
Science, and Transportation, 109th Cong., 1st Sess. (2005). 

[49] Although there is no applicable federal statute governing 
notification of data breaches, the banking agencies have issued 
guidance to financial institutions under their jurisdiction requiring 
them in some cases to notify customers affected by a data breach. 
States that have enacted breach notification requirements include 
Arizona, Arkansas, California, Colorado, Connecticut, Delaware, 
Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, 
Maine, Minnesota, Montana, Nebraska, Nevada, New Jersey, New York, 
North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, 
Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. Many other 
states have introduced legislation. 

[50] United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. 
Ga., Feb. 15, 2006). As part of the settlement, ChoicePoint admitted no 
violations of law. According to ChoicePoint, the company has taken 
steps since the breach to enhance its customer screening process and to 
assist affected consumers. 

[51] Congressional Research Service, Personal Data Security Breaches: 
Context and Incident Summaries, Order Code RL33199 (Washington, D.C., 
Dec. 16, 2005). 

[52] For example, Identity Theft: Recent Developments Involving the 
Security of Sensitive Consumer Information: Hearing Before the Senate 
Comm. on Banking, Housing, and Urban Affairs, 109th Cong., 1st Sess. 
(2005); Securing Electronic Personal Data: Striking a Balance Between 
Privacy and Commercial and Governmental Use: Hearing Before the Senate 
Comm. on the Judiciary, 109th Cong., 1st Sess. (2005); Assessing Data 
Security: Preventing Breaches and Protecting Sensitive Information: 
Hearing Before the House Comm. on Financial Services, 109th Cong., 1st 
Sess. (2005); Securing Consumers' Data: Options Following Security 
Breaches: Hearing Before the Subcomm. On Commerce, Trade, and Consumer 
Protection of the House Comm. on Energy and Commerce, 109th Cong., 1st 
Sess. (2005). 

[53] For more information on the key benefits and challenges associated 
with notifying the public about security breaches, see GAO, Privacy: 
Preventing and Responding to Improper Disclosures of Personal 
Information, GAO-06-833T (Washington, D.C.: June 8, 2006). 

[54] FCRA gives enforcement authority to FDIC, FRB, OCC, OTS, and NCUA 
over their banks, thrifts, and credit unions, among other entities. 
FCRA assigned regulatory authority to the Departments of Transportation 
and Agriculture over entities under their jurisdiction. 15 U.S.C. § 
1681s. 

[55] 15 U.S.C. § 6805. GLBA required FTC and other regulators with 
responsibilities under the statute to issue consistent and comparable 
regulations. 15 U.S.C. § 6804. 

[56] 15 U.S.C. § 1681s(c). 

[57] Conn. Gen. Stat. Anno. §§ 36a-41 - 44 (disclosure to broker- 
dealers or investment advisers engaged in contractual networking 
arrangements with the financial institution permitted after the 
customer is given notice and an opportunity to opt out); N.D. Cent. 
Code §§ 6.08.1-01 - 10; Vt. Stat. Anno. Tit 8, §§ 10201 - 10205. 

[58] For instance, FTC staff told us the agency filed suit in the 
following cases: In the Matter of Credit Bureau of Lorain, Inc., 81 
F.T.C. 381 (1972); In the Matter of Credit Bureau of Columbus, Inc., 81 
F.T.C. 938 (1972); In the Matter of Credit Bureau of Greater Syracuse, 
Inc., 84 F.T.C. 1660 (1974); In the Matter of Robert N. Barnes, 85 
F.T.C. 520 (1975); In the Matter of Filmdex Chex System, Inc., 85 
F.T.C. 889 (1975); In the Matter of Credit Data Northwest, 86 F.T.C. 
389 (1975); In the Matter of Interstate Check Systems, Inc., 88 F.T.C. 
984 (1976); In the Matter of Moore & Associates, Inc., 92 F.T.C. 440 
(1978); In the Matter of Howard Enterprises, Inc., 93 F.T.C. 909 
(1979); In the Matter of Trans Union Credit Information Co., 102 F.T.C. 
1109 (1983); FTC v. TRW Inc., 784 F. Supp. 361 (N.D. Tex. 1991); In the 
Matter of I.R.S.C., Inc., 116 F.T.C. 266 (1993); In the Matter of CDB 
Infotek, 116 F.T.C. 280 (1993); In the Matter of Inter-Fact Inc., 116 
F.T.C. 294 (1993); In the Matter of W.D.I.A.Corp., 117 F.T.C. 757 
(1994); In the Matter of Equifax Credit Information Services, Inc., 120 
F.T.C. 577 (1995). See also United States v. ChoicePoint, Inc., No. 
1:06-cv-00198-JTC (N.D. Ga. Feb. 15, 2006); United States v. Far West 
Credit, Inc., No. 2:06-cv-00041-TC (C.D. Utah Jan. 17, 2006); and In 
the Matter of Southern Maryland Credit Bureau, Inc., 101 F.T.C. 19 
(1983). 

[59] In 1996, TRW Inc. sold its credit reporting business to a group of 
investors, who named the new company Experian. 

[60] FTC has also enforced FCRA against resellers for other types of 
violations. For example, in 2000 FTC settled with the three nationwide 
credit bureaus after alleging that consumers were unable to adequately 
access the companies' personnel by telephone to discuss or dispute 
possible errors in their files. United States v. Equifax Credit 
Information Services, Inc., No. 1:00-CV-0087 (N.D. Ga. 2000); United 
States v. Experian Information Solutions, Inc., 3-00CV0056-L. (N.D. Tx. 
2000); and United States v. Trans Union LLC, No. 00C 0235 (N.D. Ill. 
2000). See [Hyperlink, http://www.ftc.gov/opa/2000/01/busysignal.htm]. 
A consent agreement does not constitute an admission of a violation of 
law. 

[61] In the Matter of Equifax Credit Information Services, Inc., 120 
F.T.C. 577 (1995). A consent agreement does not constitute an admission 
of a violation of law. 

[62] In the Matter of Trans Union Corp., F.T.C. No. 9255, 2000 WL 
257766 (2000), petition for review denied, 245 F.3d 809 (D.C. Cir. 
2001). 

[63] United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. 
Ga., Feb. 15, 2006). 

[64] Injunctions are judicial orders commanding a party to take an 
action or prohibiting a party from doing or continuing to do a certain 
activity. Disgorgement is having to give up profits or other gains 
illegally obtained. 

[65] 15 U.S.C. § 1681s and 15 U.S.C. § 45(l) and (m). Regarding GLBA's 
prohibition against fraudulent access to financial information where a 
person obtains financial information relating to another person under 
false pretences (pretext provisions), GLBA allows FTC to seek civil 
penalties for violations. Specifically, FTC has authority to enforce 
the GLBA pretext provisions in the same manner and with the same power 
and authority as it has under the Fair Debt Collection Practices Act 
(codified at 15 U.S.C. §§ 1692 - 1692o). 15 U.S.C. § 6822(a). A 
violation of the Fair Debt Collection Practices Act is deemed by 
federal law to be an unfair or deceptive act or practice in violation 
of the FTC Act, which means that FTC may impose civil penalties. 15 
U.S.C. § 1692l(a); and United States v. National Financial Services, 
Inc., 98 F.3d 131, 139 - 141 (4th Cir. 1996). According to FTC 
officials, they do not have similar civil penalty authority for 
violations of GLBA's privacy and safeguarding provisions. 

[66] 12 U.S.C. § 1818(i)(2)(A)(i). 

[67] Some exceptions may exist. For example, section 411 of the FACT 
Act (which amended section 604(g) of FCRA (12 U.S.C. 1681b(g))), 
generally limits with certain exceptions creditors' ability to obtain 
or use medical information pertaining to a consumer for credit 
purposes. This section requires the banking regulatory agencies and 
NCUA to issue regulations relating to the use of medical information in 
credit transactions. The regulations apply broadly, and the exceptions 
therein are available to all creditors, not just the financial 
institutions supervised by those agencies. See final rule published at 
70 Fed. Reg. 70664, 70665 - 6 (Nov. 22, 2005). 

[68] In addition to the responsibilities assigned to financial 
institution regulators and FTC, FCRA assigns enforcement authority to 
the Departments of Transportation and Agriculture for entities subject 
to their oversight, such as transportation carriers. 

[69] The various banking agency GLBA and FCRA regulations can be found 
at 12 C.F.R. Parts 40 and 41 (OCC); 12 C.F.R. Parts 216, 222, and 232 
(FRB); 12 C.F.R. Parts 332 and 334 (FDIC); 12 C.F.R. Parts 573 and 571 
(OTS); and 12 C.F.R. Parts 716 and 717 (NCUA). 

[70] 65 Fed. Reg. 35162 (June 1, 2000); and 65 Fed. Reg. 31722 (May 18, 
2000). OCC, FRB, OTS, and FDIC issued their rules jointly. All of the 
rules were substantively identical but contained differences to account 
for differences between the agencies' legal authorities and, as 
appropriate, for the types of institutions within each agency's 
jurisdiction. 

[71] 66 Fed. Reg. 8616 (Feb. 1, 2001) ("Interagency Guidelines 
Establishing Standards for Safeguarding Customer Information") (renamed 
"Interagency Guidelines Establishing Information Security Standards," 
70 Fed. Reg. 15736 (Mar. 29, 2005)). 

[72] 70 Fed. Reg. 15736 (Mar. 29, 2005) ("Interagency Guidance on 
Response Programs for Unauthorized Access to Customer Information and 
Customer Notice"). 

[73] Pub. L. No. 108-109, 117 Stat. 1952 (Dec. 4, 2003). 

[74] See 15 U.S.C. § 1681w; 69 Fed. Reg. 77610 (Dec. 28, 2004); and 69 
Fed. Reg. 68690 (Nov. 24, 2004). 

[75] The examinations are risk-based and conducted in cycles depending 
on the institution's condition and size. Banking regulators are 
required by law, 12 U.S.C. § 1820(d), to examine insured institutions 
for safety and soundness at least once during each 12-month period, 
except for smaller institutions that meet specified conditions that can 
be examined each 18-month period. We use the term "thrifts" to refer to 
savings associations. 

[76] Banking regulators have broad enforcement powers and can take 
formal actions (cease and desist orders, civil money penalties, removal 
orders, and suspension orders, among others) or informal enforcement 
actions (such as memoranda of understanding and board resolutions). 
Informal actions are generally not publicly disclosed. 

[77] 65 Fed. Reg. 40334 (June 29, 2000), codified at 17 C.F.R. Part 
248. SEC, NASD, and NYSE Regulation regulate broker-dealers by, among 
other things, examining their operations and reviewing customer 
complaints. SEC evaluates the quality of NASD and NYSE oversight in 
enforcing their members' compliance with federal securities laws 
through self-regulatory organization oversight inspections and broker- 
dealer oversight examinations. SEC is the primary regulator of 
investment companies and investment advisers registered with the SEC. 

[78] 17 C.F.R. § 248.30. 

[79] An examination finding would be any compliance deficiency 
(including an internal control weakness) or violation requiring 
corrective action. 

[80] NASD Notice to Members 00-66 (September 2000). 

[81] NASDR Regulatory and Compliance Alert (Summer 2001). 

[82] NYSE Information Memoranda Nos. 01-10 (June 19, 2001) and 01-13 
(June 21, 2001). 

[83] 15 U.S.C. § 6805(a)(6). State insurance authorities may enforce 
GLBA and may establish privacy regulations. However, GLBA mandates that 
state insurance authorities establish standards for safeguarding 
customer information and that the standards be implemented by rules. 15 
U.S.C. §§ 6801(b) and 6805(b)(2). Moreover, if a state insurance 
authority fails to adopt regulations to carry out GLBA's privacy and 
safeguarding provisions, the state forfeits its eligibility under GLBA 
to override certain customer protection regulations promulgated by the 
federal depository institution regulators applicable to insurance sales 
by or at depository institutions. 15 U.S.C. § 6805(c). 

[84] We did not corroborate or independently verify NAIC's analysis. 

[85] GAO, Financial Privacy: Status of State Actions on Gramm-Leach- 
Bliley Act's Privacy Provisions, GAO-02-361 (Washington, D.C.: Apr. 12, 
2002). 

[86] District of Columbia, Department of Insurance, Securities and 
Banking, Preliminary Report: Status of Insurance Industry Practices and 
Procedures to Protect the Privacy of Customer Information (September 
2005). According to department staff, the final report is pending. The 
staff said the preliminary and final results should not differ because 
the preliminary results included responses of more than 90 percent of 
the companies, including all of the large companies. 

[87] FTC's GLBA and FCRA regulations can be found at 16 C.F.R. Parts 
313 and 314 and 16 C.F.R. Parts 600 through 698. 

[88] FTC v. 30 Minute Mortgage, Inc., No. 03-60021-CIV (S.D. Fla. 
2003); FTC v. Sainz Enterprises LLC, No. 04WM-2078 (CBS) (D. Co. 2004); 
In the Matter of Superior Mortgage Corp., F.T.C. No. 052-3136 (2005); 
In the Matter of Sunbelt Lending Servs., FTC No. C-4129 (2005); In the 
Matter of Nationwide Mortgage Group, Inc., F.T.C. No 9319 (2005); FTC 
v. Nat'l. Consumer Council, Inc., No. SACV04-0474CJC (JWJX) (C.D. Cal. 
2005); FTC v. Debt Mgmt. Found. Serv., Inc., No. 8:04-cv-01674-EAK-MSS 
(M.D. Fla. 2005). A consent agreement does not constitute an admission 
of a violation of law. 

[89] See 12 U.S.C. § 1867 (FRB, FDIC, and OCC); and 12 U.S.C. § 
1464(d)(7) (OTS). 

[90] In January 2006, we reported on contractors' access to and sharing 
of Social Security numbers and federal oversight of regulated entities 
that contract for services. See GAO, Social Security Numbers: Stronger 
Protections Needed When Contractors Have Access to SSNs, GAO-06-238 
(Washington, D.C.: Jan. 23, 2006). 

[91] NCUA had temporary authority to examine third-party service 
providers under the Examination Parity and Year 2000 (Y2K) Readiness 
for Financial Institutions Act, Pub. L. No. 105-164, 112 Stat. 32 (Mar. 
20, 1998) but that authority expired as of December 31, 2001. 12 U.S.C. 
§ 1786a(c) and (f). 

[92] GAO, Credit Unions: Financial Condition Has Improved, but 
Opportunities Exist to Enhance Oversight and Share Insurance 
Management, GAO-04-91 (Washington, D.C.: Oct. 27, 2003). 

[93] NASD Notice to Members 05-48 (July 2005). 

[94] NASD Notice to Members 05-49 (July 2005). 

[95] SR-NYSE-2005-22, Proposed Rule 340, Outsourcing: Due Diligence and 
Conditions in the Use of Service Providers, and Proposed Amendments to 
Rule 342, Offices - Approval, Supervision and Control (Mar. 16, 2005).

[96] See Testimony of the Federal Trade Commission before the Senate 
Committee on Science, Commerce, and Transportation at p. 7, available 
at [Hyperlink, http://www.ftc.gov/opa/2005/06/datasectest.htm].

[97] Id. at p. 9, n.18.

[98] To date, the Commission has brought 13 legal actions against 
entities that allegedly failed to implement reasonable and appropriate 
data security for sensitive consumer data. See [Hyperlink, 
http://www.ftc.gov/privacy/index.html]. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: